[Looking for Charlie's main web site?]

My upcoming talk, "ColdFusion at 25: not the kid most have stuck in their minds"

As you may have heard by now, the free Adobe CF Developer Week 2021 will be held June 22-24. My session will be on June 22 at 4p Central in Track 2. While currently the DevWeek site only offers session titles and speakers (descriptions were added after I posted this: click the + sign to the right of each talk), here is mine, from the "presentations" page here on my site:

ColdFusion at 25: not the kid most have stuck in their minds

As ColdFusion turns 26 next month, many seem stuck remembering it only as the "teen" they knew or even the "child", when instead it's grown up to be a capable "adult", impressive in many ways, and even more so recently. In this session, we'll look back at how CF has indeed evolved into a very capable platform, with quite modern features that seem to surprise many--including people working with it currently. If you struggle "finding CF people" or "getting buy-in", perhaps these observations could help you with both challenges. If nothing else, they're things designed simply to help you get your job done, while keeping up with modern practices.

We'll start with many modern coding techniques--which will be familiar to those using more "modern" languages but that many don't realize CF supports, and may have for years. We'll then look at ways that things such as CF installation/deployment, configuration/administration, monitoring, security, and more have improved over the years. And we'll look not only at CF itself but the community surrounding it, ranging from resources for help and learning to tools and services that others have created, making CF a far more complete ecosystem than most give it credit. Put another way: it's not your father's CF!

I look forward to presenting this topic and hope you'll come check it out.

New updates released for Java 8 and 11, April 20 2021

For those using the Long-term support (LTS) versions of Oracle Java, 8 and 11, please note that there were new updates released last week (Apr 20), specifically Java 11.0.11 and 8.0_291. For more on each, see the:

For some, that's all they need to hear. For others, read on.

[....Continue Reading....]

Confirming ColdFusion's Java version via CFML code

Have you ever wished you could confirm with 100% certainty what Java version is in use by the CF instance you are running? Or where the JVM's location is (in case you are told to modify files related to it)?

Some good news is that ColdFusion offers simple ways/variables that can show you each of these, via CFML code. In this post, I share that. I share first a simple single variable which works in CF2018 and above, then I offer a variation for those on CF2016 and earlier, as well as variations for Lucee.

[....Continue Reading....]

Be aware that updates to ColdFusion 2016 will end Feb 2021

Are you still running ColdFusion 2016? Did you know that its "core" support (meaning, public updates from Adobe) will end in just a couple of months, Feb 21 2021? Same for CFBuilder 2016.

The recent release of CF2021 is a great sign for the continued vitality of CF, but this looming deadline is a reminder that as the years roll on, we not only get new versions but we say good-bye to old ones.

Wondering what you can do? or when CF2018 or CF2021 support ends? And what's the difference between "core" and paid Adobe support plans? For more on these, as well as official Adobe documentation that discusses such things, read on.

[Update: CF2016 users got a "reprieve" of sorts, when Adobe released updates to CF2021 and 2018 in March 2021, and they also offered the final update to CF2016, update 17, especially because it address a security vulnerability. Sadly, some of the changes in the update--not related to the security fix--were "breaking" changes. For more on that update, see the Adobe blog post from March 2021.)

[....Continue Reading....]

Why should one be careful about securing ColdFusion ARchive (CAR) files?

You may hear (starting today) about a new admonition (a "strong recommendation") from Adobe that one should be careful to "delete CAR files once they are used". What's that about? And why is it a concern? (And is it ever NOT a concern?) Indeed why is it a new admonition? (To be clear: the recommendation should be heeded even by those using CF versions BEFORE this update and older versions like 11, 10, and so on.)

The TLDR is this: If you create (or are given) a CF "CAR" (ColdFusion ARchive) file, you should treat that as a file that contains passwords, as technically it will, if what was exported into it was in fact any CF Admin setting which holds a password (there are several). No, the passwords are not in plain text within the CAR (which is just a zip). But the info needed to decrypt the passwords is in that file, and the CF Admin INTO WHICH such a CAR is imported will now have those passwords enabled within that CF Admin. Perhaps more dismaying, a savvy coder could easily use that info to convert the "encrypted" passwords into plain text in a single line of code. So one SHOULD indeed take care to secure such CAR files (if not delete them after use).

Do I have your attention now? Just a bit more tldr to preface the post...

Is the concern really unique to CAR files alone? And is deleting the CAR files the only way to "secure" them? No, but a difference is that CAR files may be passed around in a way that other "sensitive" CF files would not be. Indeed, what about the process of simply transporting them from one server to another? Should you be as concerned about that? And what if you don't WANT to delete them because they hold the CF Admin settings of record for an old CF instance you are removing? Should you even be concerned that a colleague also accessing your CF Admin might now use the info identified here to try to obtain a CAR file and use it in ways they should not? And what can you do to limit that? Finally, what about other tools that can save/transfer admin settings, like CFConfig in commandbox?

If you're interested in what's up (and if you or anyone on your server uses the CF Archive mechanism at all, you should be), then do read on. Same if you are not aware of what CAR files are used for, as I will explain.

[....Continue Reading....]

How and why your sites may break, and what to do, after applying March 2020 update to CF2018 or 2016

This is a critical warning to anyone who may apply the recent CF2018 Update 8 or CF2016 Update 14, released Tuesday of this week (on Mar 20, 2020). And readers in the future should note it will apply if and as you may update CF from any update BEFORE this one to any update AFTER this one.

To be clear, I do not mean with this warning to suggest that you should NOT apply the update! It implements an important security fix.

Instead, it's that after applying it, your CF web sites served via IIS or Apache WILL likely break initially, until you take one at least and perhaps two extra steps. The good news is that these steps are both easy and documented by Adobe in the update technotes, but they do require that someone do them, if needed. Let me explain.

[Update: I did an abbreviated version of this post on the Adobe CF portal: Three reasons your sites may break, and how to fix them, after applying March 2020 update to CF2018 or 2016. Note I also titled it differently. Just trying many ways to get people's attention. That post may interest some, either to read first (but my TLDR below also tries to abbreviate things also), or especially if you may prefer to give others a link to a post on this matter that is not as "dense" as this one. :-) I do point to this post from there, of course, for the many additional details that some may appreciate.]

Sadly, because many people don't bother to read the CF update technotes (linked to below), and they just apply the CF updates, they are not noticing this issue until they or their users start screaming because their sites are down. There's also a fair bit of "screaming" in the CF community, and folks responding may not know the info that I (or Adobe) have shared, to get things "working again", so I hope this helps bring some calm, and most important the clear solution/s needed.

[....Continue Reading....]

How to solve failing "api" URLs, in CF2016 and 11 (not a problem in CF2018)

If you're trying to run a request against CF 2016 (or perhaps 11), and the URL you're using has a path which starts with /api, you may find that the request fails to run (it may give a blank page). What gives? (It was related to the CF2016 API Manager, not CF's REST services feature.)

And what can you do about it, if you are on CF2016 or 11, and you want to use /api for your URLs? There are are two choices, depending on your needs: in brief, you can either:

  • change your /api folder to a new name (which I realize may not appeal to all to some)
  • or change the CF configuration, to STOP it treating /api specially for the API Manager's use. You would do this by editing two CF config files, urlworkermap.properties and web.xml (but this will break the ability of the API Manager to introspect REST services in CF2016 or CF11, though not CF2018)

TLDR; if you're bold and a risk taker, you can jump to the bottom to see my list of changes to make for that second option. As is often the case, there is risk in making changes in a cavalier fashion. There are various things to consider, and I warn of them below--but the good news is that this is a change that may take only minutes to do, once you've been careful to read about how to do it effectively.

Read on for more, including pros and cons of each choice, what to change and where, why this problem NO LONGER happens from CF2018 onward, and more.

(And if you are not familiar with the CF Enterprise API Manager, which is installed separately from CF, you can read about it here.)

[....Continue Reading....]

When and how to upgrade CF web server connector, easier since CF2016

Did you know that when you update ColdFusion, there is often a need to also update the web server connector (for IIS and/or Apache)? In this post, I discuss how you can know when to do it (Adobe makes that easier since CF2016), as well as how to do it (also easier since CF2016), and why it's important.

[....Continue Reading....]

Preview available for new ColdFusion updates for CF2016 and 2018

Update (Nov 20, 2019): Adobe announced today that they'd come out with the "final" versions of this pair of "preview" updates. If you already applied either one, you don't need to do the update, as they are unchanged from the preview. But do note that if you changed your CF Admin update "settings" feature to point to the new "preview" feed url, you should use the button there to revert back to the default update feed url.

Adobe has announced today (Nov 13, 2019) new preview updates for ColdFusion 2016 (preview update 13) and 2018 (preview update 6).

https://coldfusion.adobe.com/2019/11/preview-builds-coldfusion-2018-release-update-6-and-coldfusion-2016-release-update-13-released

These updates address issues reported with the Sept 2019 updates (which I was tracking and warned about when the update was released). If you experienced any of those or other issues discussed in Adobe's post, you should try out the new updates while they are in this preview mode (to share with Adobe any remaining concerns) over the next couple of weeks.

Notice also my initial comment in that Adobe post, with a couple of potentially important reminders regarding the preview, as well as a reminder of my plea for a new approach to updates that would allow one to select to get only the latest security updates of a new update (deferring any bug fixes or new features to the next update), which could have helped many in the case of the Sept updates, that had so many issues seemingly caused by new features and bug fixes.

Folks may want to hold off on the Sep 24 2019 CF updates

Update (Nov 20, 2019): Adobe announced today that they'd come out with a new set of updates to fix the problems in the Sep 24 updates. Today's updates address the various issues reported below about the Sept update. It's important to proceed with performing the updates, for the benefit of the security updates as I discussed below back in Sept.

I shared here Tuesday the news that Adobe had announced there were new updates for CF2018 and 2016, released that day.

But as has happened every few releases, a lot of folks are reporting various problems, enough for me to say that folks may want to hold off on applying these updates, which I realize is a risky proposition since the update includes security fixes. More on that below.

--
Update Nov 13: Adobe has released a preview of new updates, meant to address the issues in these Sep 2019 updates. For more, see my post: https://www.carehart.org/blog/client/index.cfm/2019/11/13/preview_available_for_new_coldfusion_updates//

Update Sep 27: Adobe has commented below (Sep 27) saying that there are now fixes available for the bugs reported (but that you must request each directly from them, and that an update refresh is not planned). See Vamsee's comment below, and my reply to that (asking for a bit more detail). For now, I have added any links I've seen to fixes for any of these.
--

Of course, if you need something in the update and want to try it, just be sure to do ample testing, and check out some of the problems people are reporting below. And beware that some issues may only happen under load, so you may not find them in your own testing.

Otherwise, let's see if Adobe may either "refresh" the update or may well "pull" it, as they did with the Feb 2019 updates for CF 2016 and 11, when they replaced those with another a week later (see the "Note" about it at the top of that page).

For more, read on.

[....Continue Reading....]

More Entries

Copyright ©2021 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting