[Looking for Charlie's main web site?]

Updates released for ColdFusion 2023/2021, today June 11 2024, and another possible breaking change

This is another important heads-up for my readers: there was an important security update released today by Adobe for ColdFusion 2023 (its update 8) and 2021 (its update 14). Just like the recent updates in March, this one again has a potential breaking change (trading away compatibility for the sake of security), and it adds yet another JVM arg that allows you to "revert" to the previous default behavior--to let you benefit from OTHER security aspects of the update, while you give time to addressing what should be changed.

In this case, it's about if you use CF encryption-related functions, the default encryption algorithm is changing--and that means that those who encrypt/decrypt data in their apps MUST take steps before applying this updates. For more, read on.

[....Continue Reading....]

Workaround for performance issue in CF's use of Redis for sessions

This is important news for those using CF's feature to store sessions (session variables for all sessions) in Redis.

Some folks, using it with CF2021 or 2023 found CF was somehow heavily impacting their Redis instance. The good news is that I've found an easy fix/workaround (until Adobe fixes it formally).

For more (including why you may or may NOT be impacted by the issue), read on.

[....Continue Reading....]

Bug I've reported: Adobe Tracker email notifications seem to have ceased in 2024

I just posted this bug report, but I want to mention it here not only to spread the news of the issue but also to ask whether others can confirm the issue. For more, here is the tracker ticket:


If you have experienced the issue, please add a vote to the ticket.

[....Continue Reading....]

Bug I've reported: CF Admin update page mistakenly lists current version in "Available Versions"

If you use the CF Admin to perform CF updates (vs updating via the command line), has it ever confused or annoyed you that the CF admin update page lists the currently installed version as the first value in "available versions"? That's illogical and confusing.

And it seems easily solved: they should just list the installed version on its own line on the page, above the dropdown.

If you agree that this should be addressed, please do add a vote at the tracker ticket I just posted:


Sometimes Adobe only implements changes if many ask for it (though sadly, as in this case, some just grumble at an annoyance they may hit only rarely and they move on without ever reporting it. I didn't find anyone else having reported this there, before I created my ticket.)

If you need more info to understand the problem, I'll save you going to look at the ticket by repeating here what I wrote there:

[....Continue Reading....]

New updates released for Java 8, 11, 17, 21, and 22 as of Apr 16 2024: resources and thoughts

It's that time again: there are new JVM updates released today (Apr 16, 2024) for the current long-term support (LTS) releases of Oracle Java, 8, 11, 17, and 21, as well as the new short-term release 22.

TLDR: The new updates are 1.8.0_411 (aka 8u411), 11.0.23, 17.0.11, 21.0.3, and 22.0.1 respectively). Crazy that there are now 5 current Java releases, I realize. More below, including more on each of them including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), offered in Oracle resources I list below. Oracle calls these updates "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes across the four JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

[....Continue Reading....]

Recordings available for the recent 17-session Adobe ColdFusion Summit Online 2024

If you may have missed the news, Adobe recently held an online event over several weeks (Mid-Feb to Mid-March) where they had most of the presenters from the Adobe CF Summit 2023 in Vegas give repeats of their talks. Of course, it's a great way for those who can't attend the event to see the talks--and for the presenters it can be a great chance to tweak their talks since giving them a few months before.

And the recordings are all available online, and here's how to find them.

[....Continue Reading....]

Delighted to be presenting at CFCamp 2024, on "Using Redis for session storage in ACF and Lucee"

I'm delighted to share the news that I've been selected to be a presenter again at the wonderful CFCamp event, being held again June 13-14 in Munich, Germany. (I got the news last week but have been overwhelmed with recent work, so I've been behind posting such news. I have still more to come.)

As one of the premier conferences for both Adobe ColdFusion and Lucee, I highly recommend you attend the event if you can. Plus, if you don't live in Europe it's a great excuse to vacation on the continent and be tax-deductible at the same time! :-)

My talk this year (my 8th straight appearance at the event) will be a new one for me. Here are the details:

[....Continue Reading....]

Speaking online tonight at MMCFUG, on "What if no one is monitoring your DB server?"

Just wanted to share news for my readers here that tonight (Apr 9 at 7pm US Eastern time) I will be presenting at the online meeting of the Mid-Michigan CFUG, on the topic, "What if no one is monitoring your DB server?".

Anyone can join in live, and the meeting will also be recorded and posted eventually at their Youtube Channel.

Here's the description for my talk, which is also offered on my site's presentations page:

[....Continue Reading....]

Updates released for ColdFusion 2023/2021, Mar 12 2024, possible breaking change, solutions

This is a very important heads-up for my readers: there was an important security update released today by Adobe for ColdFusion 2023 (update 7) and 2021 (update 13). While as always there's much to say about what's changed in this update, I want to make this important clarification:

It's very important that people read the technote before "just applying this update". There is a very important (and fundamental) change in how CFML processes variables, with regard to searching for scopes when no scope is indicated on a variable name. It's NOT that you "must scope all your variables", as some are asserting. But it's still almost certainly a BREAKING change in many CF apps, if they use unscoped variables under certain conditions (that I discuss below). The change is for the sake of security, but it's just one aspect of the security fixes in this update.

Anyway, there are 3 things you can consider doing to rectify/work-around this breaking change, as I discuss below (or see the update technote, for this and more). And you may reasonably wonder what the implications would be of using the workarounds. You may also wonder if this scope matter relates to the CVE listed in the APSB (linked to below). That's currently unclear. It does not. As well, note that the Adobe security bulletin (link below) shows the security fix to be only a P3 (priority 3, the lowest severity), not a P1 (priority 1, the highest), though it IS regarded as "critical".1

But then there are still other aspects of the update beyond this scope matter, and you should be aware of those also.

For more, read on.

[....Continue Reading....]

Recent critical Lucee security vulns: make sure you're protected, finding out more about them

There has been important news released (this week and last week) about a critical Lucee security vuln (an RCS or remote code execution vuln). You'll want to make sure your Lucee instances are protected either by updates or configuration (or both). There are actually 3 matters to beware.

[....Continue Reading....]

More Entries

Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting