[Looking for Charlie's main web site?]

Announcing ColdFusion updates released Aug 20 2024: offers Tomcat upgrade

An update for ColdFusion has been released today for both cf2023 as update 9 and and cf2021 as update 15. In brief, the only change is an update to Tomcat, which underlies traditional CF installations (whether implemented with the ColdFusion installer or zip extraction process). I'll have more to share on the Tomcat aspects of the update below.

[UPDATE since original posting: it's turned out that there's a bug in update 15 of cf2021--which is NOT affecting cf2023 update 9--that causes unexpected remove of 5 packages. There's now a new "known issues" section at the top of update 15's technote discussing the matter, only briefly. The simple solution is to add back the missing packages. For more on the original discovery, see comments below starting Aug 23,three days after this post and the updates release. For more on the root cause and other more automated solutions, see my comments below those, as well as a subsequent post I created. Now, back to my original post's contents.]

In addition, before applying the update note that there are two other things to beware--related to recent previous CF updates, and that whether you are currently running the immediately preceding update (from June) or the one from March or earlier.

Here are the topics covered in this post:

Finding more from Adobe about the update

As with any CF update, you may have noticed the news of the newly available update within your CF Admin. But note that Adobe also posts a new forum discussion thread whenever there is an update, as they did this time: NOW LIVE! Adobe ColdFusion 2023 and 2021 August 2024 general updates. And as they note there, the technote about the update for each CF version is in their respective technotes, including the technote for CF2023 update 9, and the technote for CF2021 update 15. There is information offered in the technotes that is essentially the same for each update, and you should consider that information.

But as is often the case, there is a bit more to consider, and I offer these posts to try to fill in the gaps. :-)

Beware before applying the update

So first, while the update contains "only a tomcat upgrade", note that that is true only if you're coming from the immediately preceding update (from June). And whether you are or not, there are still things to beware:

  • If you ARE NOT on that immediately preceding (June, so CF2023 update 8 or CF2021 update 13) update, you MUST consider the potential breaking changes regarding a change about the CFMX_compat encryption default, as introduced in that June update. I discussed issues related to this in my post about that June update. See as well some additional information I shared in a subsequent blog post, discussing more about dealing with those cfmx_compat issues
  • And if you are NOT EVEN on the update BEFORE THAT (from March, so CF2023 update 7 or CF2021 update 12), then you must also consider the potential breaking changes regarding a change regarding "searching implicit scopes" introduced in that March update. I discussed that update and that issue in my blog post on that March update, and I elaborated still more in a subsequent post, discussing a helpful option to enable logging related to that
  • Finally, whether you ARE coming from EITHER the June update or the March update or any recent previous one, note that if you may have put in place the "patch" to enable logging use of unscoped variables which search for implicit scopes (as discussed in that blog post), then beware that this (and ANY) CF update will REMOVE that patch, such that you will need to add it back, as I discussed in that last blog post I just listed.

More on the Tomcat upgrade aspect of this update

Let's wrap up the post discussing more on the Tomcat upgrade aspect of the update.

On confirming that the Tomcat upgrade is the only change in this August CF update

First, as for the fact that the update includes only a Tomcat upgrade, this is indeed indicated in both the technotes about the update (for each of CF2021 and CF2023) and was also indicated in that CF community forum thread that I also pointed to earlier in this post. Still, like some of you perhaps I wanted to make sure there really was nothing else included. So I asked in that forum thread and Adobe CF team member, Priyank, confirmed in reply that this really was the only change.

Some may also be interested to hear that after asking (and before seeing his reply), I went ahead and compared the files within the update jar (comparing the most recent updates to the previous one). I could see that indeed the only change implemented was about several files in the cfusion/runtime/lib folder, related to Tomcat.

How this Tomcat upgrade incorporates several Tomcat updates

Some may be interested to hear also that the Tomcat upgrade brings us from Tomcat 9.0.85 (which came out in Jan 2024 and was last updated within CF in that March 2024 update) to Tomcat 9.0.93 (which came out earlier in Aug 2024).

And that span of release numbers does indeed incorporate several tomcat releases, whose changes are detailed in this Tomcat change log. While many of the changes are inconsequential to CF (or most CF users), note that there are especially important security-related improvements (discussed in the next section here).

Before I discuss those, I want to help those who may look into the Tomcat change log: note that the document breaks down things into Tomcat-specific categories such as "catalina" and "coyote". Briefly, "catalina" is the underlying Java servlet engine within Tomcat (which is indeed core to CF processing), while "coyote" is the built-in tomcat web server. In the context of ColdFusion (and Lucee), that built-in web server is what most use only for the cf (or lucee) admin.

FWIW, when instead you connect to cf through a web server like IIS or Apache, you may typically use the CF "web server configuration" tool (or in Lucee the Boncode connector tool), and that's what tomcat refers to as the "jk connector"--and technically that jk connector is documented and tracked separately from tomcat itself.

How this Tomcat upgrade implements multiple security fixes

So as I noted in the previous section, among the many changes incorporated in the Tomcat updates between 9.0.85 and 9.0.93 (implemented by this CF update), there are two security-specific matters that the Tomcat team identifies as vulnerabilities, specifically implemented in Tomcat updates 9.0.86 and 9.0.90, as discussed in this section of the Tomcat 9 vulnerabilities page.

If you check that out, you will see that the listed vulnerabilities are classed as "denial of service" issues rather than "remote code execution" or such. I'll leave you to decide how important those matters seem to you, with respect to whether this update "needs to be applied urgently".

On whether this is indeed the "latest" available Tomcat update

Finally, some people will naturally wonder whether this Tomcat update is indeed the "latest" one available for Tomcat. I can say that it is, with respect to the Tomcat 9.0 version that CF currently runs on. Let me explain that and offer just a bit more that may benefit some readers.

I cover here both whether this Tomcat 9.0.93 is that latest Tomcat 9 update, then I discuss also Tomcat 10 (no longer updated), 10.1, and 11 (in beta).

First, as I'd mentioned above, Tomcat 9.0.93 was just released in Aug 2 2024. Kudos for Adobe ensuring that this "pack of Tomcat upgrades" incorporated by this update did include that latest one. But how long will this indeed mean "CF includes the latest Tomcat 9 update"?

Well, to be clear, Tomcat updates are indeed typically released more frequently than cf updates. More important, it's important to clarify that there's no way for users running CF--on its built-in customized Tomcat--to upgrade that Tomcat version ourselves. We MUST wait for Adobe to offer that within a cf update, as they have today.

Second, some may know/notice that Tomcat 9 is not actually "the latest major Tomcat version". That's true: just as CF supports two or more major versions (currently cf2023 and cf2021), so also does tomcat. And indeed there was first a Tomcat 10.0 (last updated in 2022) and now an available Tomcat 10.1 (which like Tomcat 9.0 was also last updated on Aug 2 2024, as I write. And FWIW, note that there is currently no Tomcat 9.1.)

To be clear, Adobe does not yet support Tomcat 10 in its built-in implementation of Tomcat underlying CF. But Adobe has announced at recent conference keynote talks that the NEXT release of cf (generally expected to be cf2025) will be built atop tomcat 10.1. And lastly, while there is indeed a Tomcat 11 which is now in beta (as I write), there's been no discussion (I've heard) of whether/when CF will support/be built atop that.

Hope this news and additional perspective may be helpful. I welcome your feedback. As always, if you may want any help applying this update or any CF (or Java) update, I'm available to help via remote screenshare consulting, with satisfaction guaranteed.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Charlie, as always, thank you for digging into the details of this update and giving us the skinny on it.
# Posted By Rich Toomsen | 8/21/24 9:56 PM
Thanks very much, Rich. I just started considering more and more about the implications of this "Tomcat update", and soon I found I had a lot of info to synthesize and share. :-)

I do sincerely appreciate hearing if people find it beneficial!
Hi Charlie, Im having a strange issue updating our 2021 dev server from HF14 to HF15. Its uninstalling any packages which were updated to version 14 in the last update. In the HF update log I can see its trying to download updated packages-

Downloading the package document-2021.0.15.330303.jarhttps://cfmodules.ad... cannot be downloaded. Error : Not Found.
Downloading the dependent package report-2021.0.15.330303.jarhttps://cfmodules.ad... cannot be downloaded. Error : Not Found.
Downloading the package pdf-2021.0.15.330303.jarhttps://cfmodules.ad... cannot be downloaded. Error : Not Found.
Downloading the package htmltopdf-2021.0.15.330303.jarhttps://cfmodules.ad... cannot be downloaded. Error : Not Found.The package document is marked for uninstallation. Uninstallation will be done, on the next server start.

I've ran the update from the CF Admin website and also via the command line. I've tried setting the packagesurl in the neo_updates.xml to the online repository 'https://www.adobe.co...' and at the local bundlesdependency.json. Each time it attempts to download the version 15 packages listed above. Even though I know this HF doesn't have a package update, which I can see in the bundlesdependency.json.

You may recollect I had issues with the HF13 update removing packages, this turned out to be an issue at Adobe's end which was resolved. Im scratching my head why its trying to download version 15 packages during the update. I've logged the issue with CF Support and waiting to head back.
# Posted By MaxUK | 8/23/24 5:52 AM
I had a similar issue. Ran the update from command line and had the repository stored locally. "packagesurl" was pointed to the local copy. After the update, the 4 packages you mentioned were uninstalled. I had to put them back manually. Never had this issue with any of the past updates.
Do we fid it beneficial- YES.
MY SOP:
1. See there is an update update available.
2. Open the tech note link and read it.
3. Go see what Charlie has to say about it.
4. Plan for the upgrade.
# Posted By Susan | 8/23/24 11:22 AM
Susan, thanks so much. :-) I'm really glad to be able to help. That feedback is more valuable than many will realize. (It can feel like I'm a performer playing to an empty theater/stadium sometimes.)

Roberto and Max, I am working on your issue as well. Will report when I have findings/suggestions, hopefully soon.
Charlie you aren't performing to an empty theater. I do just as Susan said, I wait for your blog post before applying any CF updates... ;)
Thanks, Roberto. And I guess I was referring as much to other posts, rather than just these announcing updates. Always a balancing act, identifying what's worth writing about, how much, etc. As long as some folks do appreciate them, I'm happy to keep offering! :-)
Roberto and Max (and others seeing this), I've been able to recreate the problem you reported. And more than that, I think I can see what's happening. On the surface, it would seem to take a resolution from Adobe (certainly for everyone to benefit), but I (or someone else) may be able to create a modified update installer jar to resolve the problem.

What I've found is that buried deep (deep) inside the hotfix-015-330303.jar there is a bundlesdependency.json which is the crux of the problem. That file names the package updates with the 2021.0.15 name prefixes which really DO NOT exist.

As you note, update 15 had ZERO package updates--it was only this tomcat update, as I had confirmed conclusively in the post above. (If one was coming from an EARLIER update and the updates you skipped DID entail updated packages, then yes applying this update WOULD implement those.)

For Adobe or others, it's that the hotfix-015-330303.jar (which, as many know, is itself simply a compressed file), there is
a Disk1\InstData\ folder, and in THAT there has Resource1.zip, and inside THAT is a $IA_PROJECT_DIR$\hotfix\ folder. Then in THAT is an dist_zg_ia_sf.jar, and then finally it's inside THAT that there is a bundles folder, which has this bundlesdependency.json file.

And I can confirm that in the CF2023 update 9 jar (which doesn't have this problem--and also had NO package updates), this folder (deep inside THAT hotfix-009-330677.jar) has NO such file.

And that's why I'd think if one could delete just that file (but then repackage everything (with the jar inside the zip inside the zip...), perhaps the update would just work.

Or we wait for Adobe to hopefully find this and correct it with a new 2021 update 15 jar. It's happened before. (And I suspect that maybe there was a plan to incorporate package updates and then it was withheld, but this file was left there pointing to package updates that were never implemented in this update.)

We shall see.
Charlie, what you are saying makes complete sense. Thanks for looking into this and clarifying what went wrong!
Hi Charlie, many thanks for investigating this! Good to know its an issue with hotfix 15 for 2021 and hopefully Adobe will resolve soon. Would you mind if I add the details of your explanation to the case I have open? It may expedite a resolution.

As other have commented your blog is invaluable, its always my first port of call after a new update has been released.
# Posted By MaxUK | 8/24/24 2:29 AM
First, Max, thanks. Second, let us know what that ticket ID is. I don't see that you've mentioned it yet. Finally, I'd definitely want to share there what I've found. (And if you'd have offered the ticket I'd have done it already. :-( Or I could once you do.)

But if you would instead, you might want to keep it brief and point to the comment directly for more. For everyone's sake, let me note how the date/time below any comment here is in fact a link to that comment. So mine with the details on my findings is at:

https://www.carehart...
Hi Charlie, thanks. The ticket ID is 128872 and I've passed the blog page link onto CF support along with the date and time of each relevant comment.
# Posted By MaxUK | 8/25/24 3:18 AM
Thanks, Max. But there's no cf bug or feature request at the Adobe tracker site, if we use the standard CF- prefix, CF-128872, or the url:

https://tracker.adob...

And while sometimes that reported "no issue found" error happens for a private bug report, I don't think that's the problem as the number you show doesn't match that of the other cf issues filed there in August, all starting with CF-4223xxx.

I also searched all the other products, in case you somehow picked another. :-)

So can you give us the url to get to wherever it may be that you filed this? Others may want to add votes, subscribe, or just check it out.
Hi Charlie, I've logged my issue with ColdFusion Support via email at - [email protected]. I wasnt aware of the bug tracker site, however after seeing your message have also logged it there-

link https://tracker.adob...
# Posted By MaxUK | 8/26/24 1:48 AM
They now acknowledge that you may need to manually add back some packages. https://helpx.adobe....
Yes, I saw that. Thanks for pointing it out. A couple of things.

First, while there's value in their sharing that workaround (for those wiping up the mess). It doesn't fixing the "broken jar of milk" that's creating the mess, more specifically for others who may apply the update going forward (who often don't read the technotes completely, if at all, before applying an update). :-( And I'd been on client calls until now to address that.

1) So first, I have just emailed them to ask if they plan to solve the root cause problem, versus offering only this manual effort.

2) Even better, I've asked if they could at least show folks that if they go into the cfpm tool, where they can then just do:

install document, htmltopdf, pdf, presentation, print, report

3) That said, while the install command when run INSIDE the cfpm CLI DOES indeed let you specify more than one package to install, sadly there's a bug where if you try to do this from outside the CLI, such as:

C:\ColdFusion2021\cfusion\bin\cfpm install document, htmltopdf, pdf, presentation, print, report

it fails reporting "Invalid command. You have passed more parameters than required." (And the same is true about the "cfpm uninstall" command.)

I have just filed a bug report for that: https://tracker.adob...

Interested folks should add a vote (please).
And Max thanks for your sharing your news of the tracker bug report you created for the original issue being discussed here. I just added a vote AND I also updated it to point out this new info of the last couple of comments (for those who may see that ticket but not this blog post).
As an update to my first comment on 8/28 (on the problem with an imperative "cfpm install" of more than one package), I've learned that for now a workaround is to remove the space after the commas. And that's due to be fixed. Yay on both points. :-)
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting