For some, that's all they need to hear. For others, read on.
What's in the JVM update, do you need to update to it?
Other readers may want to know that the updates address JVM security vulnerabilities, which seem to be limited to if the Java security sandbox is used, but I leave readers to decide for themselves whether that means it impacts them or not.
(For my readers running ColdFusion, I can't tell if that means there is an exposure only if the CF Security Sandbox feature is enabled or not.)
In any case, there are also bug fixes as well in each of the two most recent JVM updates. See the technotes above. One of these changes may be important and potentially could cause compatibility issues.
A key change in this Java update: calls out to TLS 1.1 or 1.0 no longer allowed, by default
This April JVM update is the first to imposes an important new change, that fellow CF community contributor Pete Freitag wrote about back on Apr 15, TLSv1 and TLSv1.1 Disabled by Default in Java after April 2021. See that and the JVM update technotes above which clarify that change.
For CF developers and administrators, this is about any cfhttp calls, any web service calls (cfinvoke/cfobject/createobject), any datasource or mail configuration, etc where CF is talking to some other server via https. If that server supports only TLS 1.1 or earlier, you will find that calls to that server from CF (Java) will now fail. This is done in the interest of protecting your server from calling other servers that have not been updated for the more secure TLS 1.2 version or above.
Both Pete's post and the jvm update technotes also discuss how one can "revert" this new behavior, if you must. As it states, "If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms security property in the java.security configuration file."
Should you update to it?
Well, given the security vulnerability indicated to be fixed, as well as the improvement to protect your server from calling out to servers with older, less secure TLS versions, it seems that most would want to update the JVM, just like it's always important to update the JVM.
Speaking again now to my CF readers: to be clear Adobe always supports CF being run on the latest JVM update level that exists, for whatever JVM version is supported by the CF version you are running.
CF2021 and CF2018 support running on Java 11. CF2016 supported running on Java 8 or 11 (once a CF update was performed). So yes, those using CF2021, 2018 and 2016 should at a minimum update to the latest update of whatever JVM version they are using (8 or 11), and those on CF11 or 10 should update to the latest Java 8, if they are running that.
If you wonder "what version of CF supports what version of Java", I have another post I have done with a table which maps CF versions to supported Oracle Java versions.
The importance of testing such updates/changes
Of course, you should also always implement any such significant update or other change in some testing environment, rather than just updating your production serve only. At least then you can have some insight into the prospect of the update/change having a perhaps unexpected impact on your application.
Sadly, not everyone is setup to have a test environment, though of course everyone SHOULD> And note that insofar as testing of CF is concerned, you can implement ColdFusion for free on any supported OS (Windows, MacOS, Linux), with its free Developer or Trial editions.
More questions you may surely have, and finding answers to them
And there are certainly other questions which folks will have about JVM updates in general (and especially my CF readers in particular), including more on getting those binaries/installers (from Oracle or Adobe), on the difference between those offered by Adobe and those offered by Oracle, and on the implications of changing CF2016 from Java 8 to Java 11 (supported, but with caveats). They may also have questions on those "currently LTS" versions versus "more recent" Java versions, or on using non-Oracle JVMs, on Oracle licensing matters and still more. Others need help to know how to update the JVM, and some may easily make mistakes that I can help them avoid.
At some point I plan split out those more generic points out into their own post, so I can just point to it whenever I have news of these Java updates, as much of that info doesn't change from update to update.
As my posts above point out, I can also help you directly to apply the JVM updates, rather than leave you having to wade through lots of blog details, via my remote screeshare consulting.
Obtaining the updated Java installers
As I discuss in the other posts I link to above, Adobe offers has been offering a downloads page with Java installers since 2019.
The updated JVM is finally in place there, as of May 12, 2021.
Sadly, as of this writing, that page has NOT yet been updated to offer this new update. I had raised this concern to Adobe days after the update. IF ever they are delays, see my post above for discussions I have offered in the past about how the binaries offered at Oracle are identical in my testing. I will update this to strike this paragraph when I see the new downloads are in place.
Keeping the JVM (and CF) updated is like flossing. It may be annoying, but you have to do it or you may eventually suffer consequences. "As always, I just want to help."
For more content like this from Charlie Arehart:
Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed