Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

The recent release of CF2021 is a great sign for the continued vitality of CF, but this looming deadline is a reminder that as the years roll on, we not only get new versions but we say good-bye to old ones.

Wondering what you can do? or when CF2018 or CF2021 support ends? And what's the difference between "core" and paid Adobe support plans? For more on these, as well as official Adobe documentation that discusses such things, read on.

[Update: CF2016 users got a "reprieve" of sorts, when Adobe released updates to CF2021 and 2018 in March 2021, and they also offered the final update to CF2016, update 17, especially because it address a security vulnerability. Sadly, some of the changes in the update--not related to the security fix--were "breaking" changes. For more on that update, see the Adobe blog post from March 2021.)

[....Continue Reading....]

Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

[....Continue Reading....]

Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

And what can you do about it, if you are on CF2016 or 11, and you want to use /api for your URLs? There are are two choices, depending on your needs: in brief, you can either:

• change your /api folder to a new name (which I realize may not appeal to all to some)
• or change the CF configuration, to STOP it treating /api specially for the API Manager's use. You would do this by editing two CF config files, urlworkermap.properties and web.xml (but this will break the ability of the API Manager to introspect REST services in CF2016 or CF11, though not CF2018)

TLDR; if you're bold and a risk taker, you can jump to the bottom to see my list of changes to make for that second option. As is often the case, there is risk in making changes in a cavalier fashion. There are various things to consider, and I warn of them below--but the good news is that this is a change that may take only minutes to do, once you've been careful to read about how to do it effectively.

Read on for more, including pros and cons of each choice, what to change and where, why this problem NO LONGER happens from CF2018 onward, and more.

(And if you are not familiar with the CF Enterprise API Manager, which is installed separately from CF, you can read about it here.)

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

In this post (updated in Oct 2023, for reasons discussed below), I discuss:

• Knowing when a connector upgrade is needed
• How to apply the connector upgrade, via the wsconfig gui or commandline
• What updating the web server connector actually does

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

And I share a bit more here, for my readers.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

And if you HAVE already read part 1, if it was before Saturday morning, do go back and reread it. I had added some important info that I thought shouldn't wait to Part 2, which I knew could take me a while. See especially the sections there, "A brief introduction to the vulnerability and the fix", "Should you be worried?", and "What if you can't apply the update immediately, and can't wait for part 2?".

And my apologies for the delay in getting part 2 out. For various reasons, including related to additional research work I'm doing on this exploit beyond CF, I was unable to post this then. Better late than never, I hope. Indeed, I had listed quite a lot in Part 1 that I hoped to cover in a part 2. I don't want to delay getting this out any later, so I will get done today what I can and post that, and carry over into a part 3 (or beyond) whatever remains. There are some natural breaks, fortunately. Thanks for your patience.

Following are what I cover here in Part 2:

• More detail about the vulnerability and what was "fixed"
• Wouldn't an antivirus package on the server detect this sort of trojan?
• How to add further protection from it (especially if you may be unable to implement the update for some reason)
• Considering running a security scan of your CFML code
• Consider implementing a web application firewall
• How to prevent execution of the files used in the attack, if they may already be on your server
• Another benefit of applying the latest updates
• What about Lucee?

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

All CF shops are urged to install this update immediately, to implement new protections against a known attack happening in the wild. It's identified in the associated Adobe Product Security Bulletin, APSB19-14, as a priority 1 critical vulnerability.

I will add that I can vouch personally for the significance of the vulnerability, as I reported it to the Adobe Product Security Incident Response Team (PSIRT), and I proposed the fix which was implemented. (I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don't want this to happen to you.) I plan to share much more in a part 2 post (now posted, but do see below for the context it builds upon).

(In the meantime, I have tweaked this part 1 since originally posting it, to share more here.)

[....Continue Reading....]

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

After April 30, 2019, Adobe will no longer provide any updates for CF11, so there will be no security patches or hot fixes for CF 11 after that. Of course, updates for CF2016 will indeed continue into Feb 2021, while CF2018 updates will continue into July 2023. And we could expect CF2020 (when it comes) to by supported into 2025.

How do I know this? Where does Adobe say it? And can one buy support (yes) to "buy extra time to get such CF11 updates beyond April" (no)? And what about CF11 support for Java 11 (no)? Finally, could you use help in moving off CF11 to CF 2016 or 2018? For more on each of these, read on.

(Update: I should note that Adobe did indeed offer one more update beyond April 2019, in June, when they updated CF2018 and 2016 as well for an important security update. That was a bonus. They have said there really will be no more CF11 updates, as per the original plan.)

[....Continue Reading....]