[Looking for Charlie's main web site?]

Beware you can't install CF updates via the CF Admin after Jul 2023 JVM update

Be aware: if you update ColdFusion to run using the latest JVM updates (released July 18, 2023), you will encounter challenges, which have solutions as I describe here.

You will find that you can no longer INSTALL CF updates via the CF admin, if CF is using this new Java version. And even if the CF update is run from the command line, if using this newer Java version that also will fail. In either case, there is a new JVM argument that solved the problem, as I discuss below.

This is happening in CF2023, 2021, and 2018. (And this may continue to happen with future JVM updates, until Adobe otherwise addresses the problem.)

As an update, you may want to read a more recent post I did on this matter, in October 2023.

As an another update, when I first created this post originally on July 21st, another problem was that you would find that you could no longer use the CF Administrator to download CF updates, if CF was running this new Java version. You would get an error reporting, "Failed Signature verification"--or in some cases you may see only "error failed". But within a couple of weeks, I found that the CF Admin COULD now download updates (including the August 2023 CF update) but the CF update STILL fails to install correctly, as discussed in this post, unless the workaround offered is used.

FWIW, Adobe has also updated the technotes for CF2021 update 10 and CF2023 update 4 with a text box at the top that acknowledges this issue and points to this post for more detail.

In this post, I explain a) what this is all about, then b) how you can fix the problem of INSTALLING the update using the CF Admin, I'll explain how it seems we HAVE to workaround that problem (for now). I also offer a link to a bug report I've filed. I even offer a thought on how this new JVM update may prove over time to affect MORE than just this, and even MORE than just CF (and Lucee) but many java apps. Read on for more.

[....Continue Reading....]

A third Priority 1 CF security update has been released, Jul 19 2023

Just days after two P1 CF security updates were released on Jul 11 and 14, Adobe has released yet another on Jul 19.

Yes, this is shocking. Yes, unless there's a good explanation, I can understand how many would feel "someone on the CF team should be flogged". Don't shoot me: I'm just the messenger. I don't work for Adobe.

But I will add that in this post, besides just sharing news about the update (and more than JUST pointing to the update), I also offer an ADDITIONAL "fix" some will want to consider, to go BEYOND what this update addresses. See the discussion on "blocking the _cfclient query string".

Read on for more, where I cover:

  • Finding more info on this update
  • A suggestion on blocking the _cfclient query string
  • News for those doing manual offline installs: this update DOES have a zip
  • As for doing a Java update along with this update
  • CF2018 WAS indeed also updated

[....Continue Reading....]

A second priority 1 CF security update in one week, released Jul 14 2023

Just days after a P1 security update released on Jul 11, Adobe has released yet another on Jul 14. (I don't recall such a short gap between updates before, so yes: it's unusual.)

For more on the update, and some additional thoughts, read on.

[....Continue Reading....]

P1 security update released Jul 11 2023 for ColdFusion 2023, 2021, and 2018

Folks using CF2023, 2021, or 2018 will want to know that a Priority 1 security update has been released today affecting all 3 releases, update 1 for CF2023 (its first), update 7 for CF2021, and update 17 for CF2018 (its last). The security bulletin indicates that the updates "resolve critical and important vulnerabilities that could lead to arbitrary code execution and security feature bypass".

Update: 3 days after this update, Adobe released yet another, and then 4 days after that they released yet another, both p1 security updates. While I have posts on each of the two subsequent updates, the one on Jul 14 and then the one on Jul 19, the information below is still important and has details that I do not repeat in the later post.

For more resources as well as some additional thoughts on the updates, read on.

[....Continue Reading....]

ColdFusion March 2023 emergency update, and what to do about it

If you've not heard, a new update has been released (March 14, 2023) for ColdFusion 2021 and 2018. Despite what you may hear, this is an URGENT (rated "Priority 1" by Adobe) update that everyone should apply ASAP, for reasons I will explain in this post. In fact, Hackernews reported yesterday (Mar 16) that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had issued an urgent warning about this, giving federal agencies a deadline to apply the update.

TLDR; For some folks, the above may be all you need to hear: you may be dropping your coffee and donuts now to get the update applied. Still others will see this "huge post" and think, "crap, I don't have time for this". For you, skip to the bottom and its "concluding key points". You can then decide what you think you do or don't "need to know" and pick and choose from the sections as you like.

Finally, for those who prefer because of the importance of all this to be led more carefully through understanding things (in a way that's worked for the many people I have helped so far this week, and is far more than either Adobe or Hackernews has shared), please do read on.

[....Continue Reading....]

Be aware that ColdFusion 2018 end-of-life (and end of updates) is coming July 2023

Are you still running ColdFusion 2018? Did you know that its end-of-life is July 13, 2023? That's the date that "core" support ends--meaning, no more updates from Adobe after that, not even security fixes.

As for CF2021, it gets updates into 2025, and the currently running pre-release of CF2023 is a great sign for the continued vitality of CF. But this looming deadline for CF2018 is a reminder that as the years roll on, we not only get new versions but we must say good-bye to old ones.

Wondering what you can do? or when CF2021 or CF2023 support will end also? And what's the difference between "core" and "extended" support Adobe sells? (The extended support plan does NOT provide updates beyond this coming July.) For more on these, including official Adobe documentation that discusses such things, as well as my thoughts on migration, costs, various options to consider, and more, do read on.

[....Continue Reading....]

What's new in FusionReactor 9.2.0, released Jan 18 2023

If you're a user of the wonderful FusionReactor monitoring and observability solution (for ColdFusion, Lucee, Java servers and more), you may delight in hearing news of a new FusionReactor (FR) version. 9.2.0 was released last week, Jan 18, 2023.

You can learn more (in brief) about what's new in the bullets for 9.2.0 offered at the release notes page.

TLDR: For some folks, news of the new version is all the need to hear. For those who may like to hear a bit more about the update, read on.

[....Continue Reading....]

Special offer: upgrade to ColdFusion 2021 from CF2016 or earlier, saving perhaps thousands of $$

If you're running CF2016 or earlier, now's your chance (though the end of the year Feb 28, 2023) to save potentially thousands of dollars in upgrading to the latest current version, CF2021. Intergral, the folks who make the FusionReactor monitoring tool and service, are again offering a special deal of 25% off to upgrade CF2016 or earlier to CF2021 (a deal which even Adobe does not offer).

Read on for more details.

[....Continue Reading....]

ColdFusion 2021 "refreshed" installers available (with update 5)...but only in one place for now

Update since original posting:
If you find this post in 2023 or beyond and are looking for the CF2021 installers, please read this update before proceeding. I started to get a lot of comments once CF2023 came out. This post is from Oct 2022, about new installers offered at that time, while CF2021 was still the latest version.

To be clear, once Adobe comes out with a new version, they REMOVE the installers of the old version from the public pages of their site. Does that mean you're stuck and CANNOT get the installers, perhaps that "you paid for"? No, it does NOT mean that. You just need to know where to find them.

1) First, if you are the person who BOUGHT CF, then you should have an account at either https://account.adobe.com/products or https://licensing.adobe.com/, and you can find the installers you paid for there.

2) If instead you either DID NOT buy CF (perhaps using the free trial edition), or someone ELSE bought it (maybe you don't know who it is), or you just can't get into that account, note that there is an online repository of old (and new) installers at cfmlrepo.com, which is managed by trusted community members, including myself.

Now, back to what the original post was about...

Here's some surprising news: Adobe has released a "refreshed" installer for CF2021, which includes update 5 (which came out last week) built-in.

Read on for (much) more.

[....Continue Reading....]

I'll be presenting at the online CFMeetup, on Adobe's 'new' CFSetup tool, useful for any CF version

This topic may (should) interest folks using CF2021 or even OLDER CF versions. Did you know there's a command line tool to help view/manage as well as export/import CF Admin settings? I will be presenting a talk on this, Thursday. Anyone can attend online.

Folks who are members of the Online ColdFusion Meetup that I run will already have gotten notification about this, but those who are not:

[....Continue Reading....]

More Entries

Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting