[Looking for Charlie's main web site?]

New updates released for Java 8 and 11, April 20 2021

For those using the Long-term support (LTS) versions of Oracle Java, 8 and 11, please note that there were new updates released last week (Apr 20), specifically Java 11.0.11 and 8.0_291. For more on each, see the:

For some, that's all they need to hear. For others, read on.

What's in the JVM update, do you need to update to it?

Other readers may want to know that the updates address JVM security vulnerabilities, which seem to be limited to if the Java security sandbox is used, but I leave readers to decide for themselves whether that means it impacts them or not.

(For my readers running ColdFusion, I can't tell if that means there is an exposure only if the CF Security Sandbox feature is enabled or not.)

In any case, there are also bug fixes as well in each of the two most recent JVM updates. See the technotes above. One of these changes may be important and potentially could cause compatibility issues.

A key change in this Java update: calls out to TLS 1.1 or 1.0 no longer allowed, by default

This April JVM update is the first to imposes an important new change, that fellow CF community contributor Pete Freitag wrote about back on Apr 15, TLSv1 and TLSv1.1 Disabled by Default in Java after April 2021. See that and the JVM update technotes above which clarify that change.

For CF developers and administrators, this is about any cfhttp calls, any web service calls (cfinvoke/cfobject/createobject), any datasource or mail configuration, etc where CF is talking to some other server via https. If that server supports only TLS 1.1 or earlier, you will find that calls to that server from CF (Java) will now fail. This is done in the interest of protecting your server from calling other servers that have not been updated for the more secure TLS 1.2 version or above.

The jvm update technotes also discuss how one can "revert" this new behavior, if you must. As it states, "If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms security property in the java.security configuration file." That's found in the /conf/security/ folder of the jvm (in a Java 11 JDK, at least, or in the /jre/lib/security of a Java 8 JDK, and /lib/security of a Java 8 JRE). Find and make the change, save the file, and then restart CF.

Should you update to it?

Well, given the security vulnerability indicated to be fixed, as well as the improvement to protect your server from calling out to servers with older, less secure TLS versions, it seems that most would want to update the JVM, just like it's always important to update the JVM.

Speaking again now to my CF readers: to be clear Adobe always supports CF being run on the latest JVM update level that exists, for whatever JVM version is supported by the CF version you are running.

CF2021 and CF2018 support running on Java 11. CF2016 supported running on Java 8 or 11 (once a CF update was performed). So yes, those using CF2021, 2018 and 2016 should at a minimum update to the latest update of whatever JVM version they are using (8 or 11), and those on CF11 or 10 should update to the latest Java 8, if they are running that.

If you wonder "what version of CF supports what version of Java", I have another post I have done with a table which maps CF versions to supported Oracle Java versions.

The importance of testing such updates/changes

Of course, you should also always implement any such significant update or other change in some testing environment, rather than just updating your production serve only. At least then you can have some insight into the prospect of the update/change having a perhaps unexpected impact on your application.

Sadly, not everyone is setup to have a test environment, though of course everyone SHOULD> And note that insofar as testing of CF is concerned, you can implement ColdFusion for free on any supported OS (Windows, MacOS, Linux), with its free Developer or Trial editions.

More questions you may surely have, and finding answers to them

And there are certainly other questions which folks will have about JVM updates in general (and especially my CF readers in particular), including more on getting those binaries/installers (from Oracle or Adobe), on the difference between those offered by Adobe and those offered by Oracle, and on the implications of changing CF2016 from Java 8 to Java 11 (supported, but with caveats). They may also have questions on those "currently LTS" versions versus "more recent" Java versions, or on using non-Oracle JVMs, on Oracle licensing matters and still more. Others need help to know how to update the JVM, and some may easily make mistakes that I can help them avoid.

For those, see blog posts I have done in regarding past Java updates where I did address those various issues, most recently here on my blog in 2020 and also in the Adobe CF portal, in 2019.

At some point I plan split out those more generic points out into their own post, so I can just point to it whenever I have news of these Java updates, as much of that info doesn't change from update to update.

As my posts above point out, I can also help you directly to apply the JVM updates, rather than leave you having to wade through lots of blog details, via my remote screeshare consulting.

Obtaining the updated Java installers

As I discuss in the other posts I link to above, Adobe offers has been offering a downloads page with Java installers since 2019.

The updated JVM is finally in place there, as of May 12, 2021. Sadly, as of this writing, that page has NOT yet been updated to offer this new update. I had raised this concern to Adobe days after the update. IF ever they are delays, see my post above for discussions I have offered in the past about how the binaries offered at Oracle are identical in my testing. I will update this to strike this paragraph when I see the new downloads are in place.

Keeping the JVM (and CF) updated is like flossing. It may be annoying, but you have to do it or you may eventually suffer consequences. "As always, I just want to help."

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Effective Mid-July, 2021, we (Adobe) recommend that our users shift to distributions of the Azul Zulu builds of OpenJDK (https://www.azul.com...) for developing and deploying CFML applications.

The Azul OpenJDK builds are compliant with Oracle Java SE (Standard Edition).

All ColdFusion customers are entitled to use Oracle Java till December 2022.

The usage rights for Oracle Java technology as distributed by Adobe will expire in December 2022.

Pre-release builds are available at https://www.adobepre... for CF2018 and CF2021.
# Posted By Peter Tilbrook | 6/28/21 6:50 PM
Peter, thanks for sharing. (And I believe you are quoting Adobe, rather than indicating that you now work for them, right?) As for that news, thanks for sharing it.

Adobe had also blogged it on the 15th (https://coldfusion.a...), and I've been commenting there (and learning from comments of others) since. I've been planning a blog post of my own and will post it soon, I hope.

I'd not considered mentioning the Azul change in this post on the Apr Java update, but now you have and so all this stands for interested folks to pursue.
# Posted By Charlie Arehart | 6/28/21 7:13 PM
Copyright ©2021 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting