[Looking for Charlie's main web site?]

Why should one be careful about securing ColdFusion ARchive (CAR) files?

You may hear (starting today) about a new admonition (a "strong recommendation") from Adobe that one should be careful to "delete CAR files once they are used". What's that about? And why is it a concern? (And is it ever NOT a concern?) Indeed why is it a new admonition? (To be clear: the recommendation should be heeded even by those using CF versions BEFORE this update and older versions like 11, 10, and so on.)

The TLDR is this: If you create (or are given) a CF "CAR" (ColdFusion ARchive) file, you should treat that as a file that contains passwords, as technically it will, if what was exported into it was in fact any CF Admin setting which holds a password (there are several). No, the passwords are not in plain text within the CAR (which is just a zip). But the info needed to decrypt the passwords is in that file, and the CF Admin INTO WHICH such a CAR is imported will now have those passwords enabled within that CF Admin. Perhaps more dismaying, a savvy coder could easily use that info to convert the "encrypted" passwords into plain text in a single line of code. So one SHOULD indeed take care to secure such CAR files (if not delete them after use).

Do I have your attention now? Just a bit more tldr to preface the post...

Is the concern really unique to CAR files alone? And is deleting the CAR files the only way to "secure" them? No, but a difference is that CAR files may be passed around in a way that other "sensitive" CF files would not be. Indeed, what about the process of simply transporting them from one server to another? Should you be as concerned about that? And what if you don't WANT to delete them, because they hold the CF Admin settings of record for an old CF instance you are removing? Should you even be concerned that a colleague also accessing your CF Admin might now use the info identified here to try to obtain a CAR file and use it in ways they should not? And what can you do to limit that? Finally, what about other tools that can save/transfer admin settings, like CFConfig in commandbox?

If you're interested in what's up (and if you or anyone on your server uses the CF Archive mechanism at all, you should be), then do read on. Same if you are not aware what CAR files are used for, as I will explain.

[....Continue Reading....]

How and why your sites may break, and what to do, after applying March 2020 update to CF2018 or 2016

This is a critical warning to anyone who may apply the recent CF2018 Update 8 or CF2016 Update 14, released Tuesday of this week. To be clear, I do not mean with this warning to suggest that you should NOT apply the update! It implements an important security fix.

Instead, it's that after applying it, your CF web sites served via IIS or Apache WILL likely break initially, until you take one at least and perhaps two extra steps. The good news is that these steps are both easy and documented by Adobe in the update technotes, but they do require that someone do them, if needed. Let me explain.

[Update: I did an abbreviated version of this post on the Adobe CF portal: Three reasons your sites may break, and how to fix them, after applying March 2020 update to CF2018 or 2016. Note I also titled it differently. Just trying many ways to get people's attention. That post may interest some, either to read first (but my TLDR below also tries to abbreviate things also), or especially if you may prefer to give others a link to a post on this matter that is not as "dense" as this one. :-) I do point to this post from there, of course, for the many additional details that some may appreciate.]

Sadly, because many people don't bother to read the CF update technotes (linked to below), and they just apply the CF updates, they are not noticing this issue until they or their users start screaming because their sites are down. There's also a fair bit of "screaming" in the CF community, and folks responding may not know the info that I (or Adobe) have shared, to get things "working again", so I hope this helps bring some calm, and most important the clear solution/s needed.

[....Continue Reading....]

How to solve failing "api" URLs, in CF2016 and 11 (not a problem in CF2018)

If you're trying to run a request against CF 2016 (or perhaps 11), and the URL you're using has a path which starts with /api, you may find that the request fails to run (it may give a blank page). What gives? (It was related to the CF2016 API Manager, not CF's REST services feature.)

And what can you do about it, if you are on CF2016 or 11, and you want to use /api for your URLs? There are are two choices, depending on your needs: in brief, you can either:

  • change your /api folder to a new name (which I realize may not appeal to all to some)
  • or change the CF configuration, to STOP it treating /api specially for the API Manager's use. You would do this by editing two CF config files, urlworkermap.properties and web.xml (but this will break the ability of the API Manager to introspect REST services in CF2016 or CF11, though not CF2018)

TLDR; if you're bold and a risk taker, you can jump to the bottom to see my list of changes to make for that second option. As is often the case, there is risk in making changes in a cavalier fashion. There are various things to consider, and I warn of them below--but the good news is that this is a change that may take only minutes to do, once you've been careful to read about how to do it effectively.

Read on for more, including pros and cons of each choice, what to change and where, why this problem NO LONGER happens from CF2018 onward, and more.

(And if you are not familiar with the CF Enterprise API Manager, which is installed separately from CF, you can read about it here.)

[....Continue Reading....]

When and how to upgrade CF web server connector, easier since CF2016

Did you know that when you update ColdFusion, there is often a need to also update the web server connector (for IIS and/or Apache)? In this post, I discuss how you can know when to do it (Adobe makes that easier since CF2016), as well as how to do it (also easier since CF2016), and why it's important.

[....Continue Reading....]

Preview available for new ColdFusion updates for CF2016 and 2018

Update (Nov 20, 2019): Adobe announced today that they'd come out with the "final" versions of this pair of "preview" updates. If you already applied either one, you don't need to do the update, as they are unchanged from the preview. But do note that if you changed your CF Admin update "settings" feature to point to the new "preview" feed url, you should use the button there to revert back to the default update feed url.

Adobe has announced today (Nov 13, 2019) new preview updates for ColdFusion 2016 (preview update 13) and 2018 (preview update 6).

https://coldfusion.adobe.com/2019/11/preview-builds-coldfusion-2018-release-update-6-and-coldfusion-2016-release-update-13-released

These updates address issues reported with the Sept 2019 updates (which I was tracking and warned about when the update was released). If you experienced any of those or other issues discussed in Adobe's post, you should try out the new updates while they are in this preview mode (to share with Adobe any remaining concerns) over the next couple of weeks.

Notice also my initial comment in that Adobe post, with a couple of potentially important reminders regarding the preview, as well as a reminder of my plea for a new approach to updates that would allow one to select to get only the latest security updates of a new update (deferring any bug fixes or new features to the next update), which could have helped many in the case of the Sept updates, that had so many issues seemingly caused by new features and bug fixes.

Folks may want to hold off on the Sep 24 2019 CF updates

Update (Nov 20, 2019): Adobe announced today that they'd come out with a new set of updates to fix the problems in the Sep 24 updates. Today's updates address the various issues reported below about the Sept update. It's important to proceed with performing the updates, for the benefit of the security updates as I discussed below back in Sept.

I shared here Tuesday the news that Adobe had announced there were new updates for CF2018 and 2016, released that day.

But as has happened every few releases, a lot of folks are reporting various problems, enough for me to say that folks may want to hold off on applying these updates, which I realize is a risky proposition since the update includes security fixes. More on that below.

--
Update Nov 13: Adobe has released a preview of new updates, meant to address the issues in these Sep 2019 updates. For more, see my post: https://www.carehart.org/blog/client/index.cfm/2019/11/13/preview_available_for_new_coldfusion_updates//

Update Sep 27: Adobe has commented below (Sep 27) saying that there are now fixes available for the bugs reported (but that you must request each directly from them, and that an update refresh is not planned). See Vamsee's comment below, and my reply to that (asking for a bit more detail). For now, I have added any links I've seen to fixes for any of these.
--

Of course, if you need something in the update and want to try it, just be sure to do ample testing, and check out some of the problems people are reporting below. And beware that some issues may only happen under load, so you may not find them in your own testing.

Otherwise, let's see if Adobe may either "refresh" the update or may well "pull" it, as they did with the Feb 2019 updates for CF 2016 and 11, when they replaced those with another a week later (see the "Note" about it at the top of that page).

For more, read on.

[....Continue Reading....]

Sep 2019 updates released for CF2018 and CF2016, with a strange twist

Adobe has announced today Sep 24 2019 that there are new updates for CF2018 (update 5) and CF2016 (update 12).

As an update to this post, I have offered a new post, pointing out that many people are having problems with this set of updates here. So I would recommend folks hold off on applying it for now. I will update this (and that) if we hear new info from Adobe.

Beyond adding important security and bug fixes as seems typical, this update offers several new or changed features, as well as updated support for things (such as Java 12), as is also often the case.

Uniquely, though, this update is the first ever to require that you must first have updated to the PREVIOUS update before applying this new one. So those on CF2018 must first be on update 4 before going to this new update 5, while those on CF2016 must be first on update 11 before going to this new update 12.

As always, I share a bit more here, for my readers.

[....Continue Reading....]

Configuring FusionReactor to show "real ip address" when behind a load balancer or other proxy

If your server is behind a load balancer or other sort of proxy, you may have noticed that when you view information about requests in FusionReactor, they all have the same (or nearly the same) IP address. This can be easily fixed, and I show you how in this post.

[....Continue Reading....]

CF2020 to offer still-better deployment on Docker, cloud

There's great news coming regarding Adobe ColdFusion 2020, with regard to deployment of CF via Docker images and/or in the cloud.

Adobe's Director of Engineering for CF, Ashish Garg, recently held a wide-ranging interview with Michaela Light (on the CF Alive podcast) about the CF2020 roadmap. Ashish shared news of some substantial changes planned in the next release regarding modularity in the engine, the size of installers/containers, and their startup time, as well as matters like licensing of containers, logging within them, monitoring of them, and more.

[....Continue Reading....]

Come learn about getting started with CF Docker images at CF Summit 2019

Docker imageI'm terribly behind in announcing it, but I'm thrilled that I've been selected to speak again at Adobe CF Summit 2019, to be held in Vegas Oct 1 and 2 (with the pre-con on Sep 30). Both topics are on using Adobe's ColdFusion Docker images, and are designed for people who have not yet gotten into Docker at all, or for those familiar with Docker but not the Adobe CF images.

After sharing the talk titles and descriptions, first for the hour-long session and then for the day-long pre-conference session, I'll share a couple more thoughts, especially for those considering going to the conference, which I highly recommend.

[....Continue Reading....]

More Entries

Copyright ©2020 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting