Have you had problems installing CF updates, whether the most recent or past ones?

I'll be presenting a talk on this topic, online today, at noon US Eastern, on the CFMeetup Youtube livestream (which will be recorded). Folks who are members of the Online ColdFusion Meetup will have already gotten email notification about this, including the meeting URL, but for those who are not members here are the details:

[....Continue Reading....]

ColdFusion 2025 has been released today, Feb 25 2025. In this post I am not only helping share news of the release, and pointing to available resources, but I also share some thoughts/observations on related matters that may be a bit challenging for most to find more about on their own (if they may only assess a couple of resources, or hear only tidbits shared in social media).

First, for more on the many features and changes, I share many Adobe resources--about which I also offer some additional comment. I also discuss changes regarding OS and DB support as well as the fact that CF2025 now runs on Java 21-- and that the traditional server deployment of CF comes installed atop Tomcat 10.1. I then share still more info on other matters and resources related to the new version.

I then focus on the major change in licensing, for CF2025 and forward, to being subscription only--which I'll note has no effect on those currently running CF2023 or earlier. I share pricing info and also help in assessing differences in the EULA, and more.

Finally I discuss some migration considerations--including important REMOVAL of some older features from CF2025, as CF continues to be made more secure and modernized. I also identify tools and resources to help aid you in that migration, when you're ready to begin attempting it.

For all that and more, read on.

[....Continue Reading....]

An update for ColdFusion has been released today for both cf2023 (update 12) and cf2021 (update 18). In brief, it addresses a P1 (Priority 1, "Critical") security vulnerability, as indicated in the associated ASPB (security bulletin) for the update (CVSS Base Score of 7.4 out of 10).

In this post, I share the details about the update (from Adobe and from others, including pointing to some discussions I've already started online about the update). Note also that while you may read that the update is related to the CF PMT feature, beware presuming it therefore "doesn't apply to you" because you "don't use it". See the next section for more.

Of course, this is terrible timing for an update, but it is what it is. I can report I have installed both updates on multiple machines and operating systems without incident. And I may do a follow-up post on the update as I/we all learn more.

For more details, read on.

[....Continue Reading....]

An update for ColdFusion has been released yesterday for both cf2023 (as update 11) and cf2021 (as update 17). In brief, the update has no security fixes, but it does fix dozens of issues that folks have stumbled over recently. It also upgrades some "OEM" libraries underlying CF, and it offers some modest enhancements.

Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes introduced in those updates from March and June of this year.

For more details, read on.

[....Continue Reading....]

Though the news is a couple of days old, I want to share with my readers that an update for ColdFusion has been released Tuesday, Sep 10, for both cf2023 (update 10) and cf2021 (update 16). In brief, the "only" change is to address a security vulnerability, which is listed in the associated ASPB (security bulletin) for the update as a "critical" severity (CVSS Base Score of 9.8 out of 10)...though curiously that also lists it as being merely a "moderate" priority (3 out of 3).

Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes in those updates from March and June of this year.

And there's still more to consider. Note that if somehow "it's all too much" for you, I can help directly and likely VERY quickly. See my discussion at the bottom here. Otherwise, for the details, read on.

[....Continue Reading....]

If you've recently applied CF2021 update 15 or are planning to, you need to be aware of a known issue which can cause unexpected removal of some CF packages (modules) which occurs upon the CF restart after installing the update: specifically it's the document, htmltopdf, pdf, presentation, print, and report modules. The good news is that these are easily added back, either using the CF Admin or via the cfpm command-line tool (added in CF2021).

In this post, I discuss this issue, those options for adding them back, and I also share how I'd found the underlying root cause of the problem: the update has a mistaken internal indication that these packages were updated in this update, when they were not. I'm hoping that Adobe may soon be fixing the problem by creating a new update file, to at least benefit those doing this update going forward. I'll share also the bug report for that (and another on a related matter, about installing multiple packages via cfpm).

TLDR

If you just want to "solve the problem" caused in applying this update 15, simply go into the CF Admin and its "Package Manager" page, go to its "Available Packages" section, and click each of those to install them. (Couldn't you also click the "Install All" button offered there? Yes, but there are reasons to be careful about that. Couldn't you use the cfpm tool? Again, yes. I will address both these points and more, below.)

[....Continue Reading....]

If you're considering or have already implemented the latest CF updates from June 2024 (CF2023 update 8 and CF2021 update 14), you might have struggled a bit to understand completely what Adobe was getting at in the update technotes, as they can sometimes be rather terse in covering some points (worse, some folks don't even read the technotes before applying the updates). Briefly, a key aspect of the update changes the default algorithm that CF uses--for code that does not specify one, in several CF functions, related to encryption, hashing, or randomization.

As another case where Adobe is opting to sacrifice compatibility for security, the update changes from using the very old default of CFMX_COMPAT (as the default) to using either of a couple different alternatives, depending on the function. And if you're not careful/paying attention, you could break some critical part of your app by applying this update.

TLDR; In this post, I want to share a bit more to help you understand the impact of this update (which I blogged about in June), whether you're a developer or an administrator--and whether you've applied or not yet applied the update. Even if you HAVE done it and "all seems well" (in test or even in prod), do beware there may be nasty problems waiting to bite you that could take time to crop up. I'll explain the issues, and help you find the code using these functions, then help you determine if that code is or IS NOT affected by this change. I'll also discuss some real-world scenarios and challenges, with solutions.

Finally, I'll explain an available JVM arg (-Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE) that can be used to revert this behavior, for those who may feel they need to sacrifice security for compatibility, so as to get to this June update and take their time to address this change in the encryption default. I also explain how the CFMX_COMPAT algorithm DOES still remain available as an option, despite what some have asserted, which may be an acceptable option to use. Then I wrap up with some thoughts on how it may not be so bad that I'm only getting this post out a few weeks after the June update.

For more, read on.

[....Continue Reading....]

Don't miss that Adobe had added a useful feature (a "patch", made available in Apr 2024) to help in identifying any CFML code you may have which refers "implicitly" to scopes that would no longer searched (for any variables without a scope prefix), which is the new default behavior for CF2021, CF2023 and beyond as of the March 2024 updates (updates 13 and 7, respectively).

TLDR; (more on each of these points, in the rest of this post)

• For more on the update and the change regarding searchimplicitscopes, see my blog post on the March update
• By following the simple couple of steps (including downloading a needed "patch" as discussed and linked to below), CF will start logging (to a new unscoped.log) whenever code is run that would access an unscoped variable when that would cause CF to implicitly search through scopes (external to the request) which it would no longer search if "searchimplicitscopes" was false. (To be clear, the new logging only works if searchimplicitscopes is true, otherwise such searching would fail if searchimplicitscopes is false, as is the new default as of the March 2024 updates)
• The "patch" is a jar which you must manually obtain and put into place--it is NOT included with the March 2024 CF update, or any others. The steps are very simple, discussed below or in an Adobe technote that was released in the weeks after the March updates, with the title: View unscoped variables in a log file
• Note that this patch is also NOT included in the June 2024 CF updates, CF2021 update 14 and CF2023 update 8
• Further, beware that if you DO apply any update to CF after applying this patch, that update will REMOVE this "patch" (and any jars in the lib/updates folder which is referred to in the technote). Therefore, you would need to put the jar BACK in manually after any such CF update, for it to continue doing its logging
• Finally, FWIW, note that you can even leverage this patch in the CF two updates PRIOR to the March 2024 updates which introduced the change in the default for searchimplicitscopes, so updates 5/6 and 11/12, respectively. That means someone could also use this patch to test BEFORE moving to either the March 2024 updates or later

Again, more on each of these points below. But for some, the news and the link to the technote (and my couple of tips above) may be all they feel they need to hear. For others, I think more perspective may help, so read on for that.

[....Continue Reading....]

I'm delighted to announce that I've been selected to speak again (for the 12th straight year) at the upcoming Adobe CF Summit conference, to be held in Las Vegas Sep 30-Oct 1.

Actually, I've had two of my talks selected. The first will be a repeat of the one I offered at CFCamp in Germany last month (June), while the second is a brand new talk (and one I've been meaning to offer for a long time):

• Using Redis for session storage in ACF and Lucee: why, and how it's easily done
• Understanding cflocks: how they work/how they can help or hurt

[....Continue Reading....]

This is important news for those using CF's feature to store sessions (session variables for all sessions) in Redis.

Some folks, using it with CF2021 or 2023 found CF was somehow heavily impacting their Redis instance. The good news is that I've found an easy fix/workaround (until Adobe fixes it formally).

For more (including why you may or may NOT be impacted by the issue), read on.

[....Continue Reading....]