Charlie Arehart - Server Troubleshooting - hotfix

Hotfix released for CF2021 date-mask compatibility issue

Mon, 07 Dec 2020 22:28:00 -0500

Good news to share: if you're concerned about being impacted by a pressing compatibility issue in ColdFusion 2021 (regarding using "D" in a dateformat mask), Adobe released a fix for the problem last week. There are 3 simple steps to implementing that fix, one of which is a JVM arg change to that YOU MUST MAKE--even with the "fix" in place--if you want to revert the behavior. Or you can change your CFML code to get around the problem, as I also discuss below. [Update: As of Mar 2021, Adobe now offers implements this "hotfix" into CF2021 Update 1 (and above). You DO still need to add the JVM arg discussed, if you want to revert the behavior: -Dcoldfusion.datemask.useDasdayofmonth=true It's just that yo uno longer need to obtain and implement the specialhotfix jar file I'd announced with this post. Again the update does NOT change the DEFAULT behavior, which is why that JVM arg is still necessary. The rest of the information below applies.] Read on for additional details. [More]

Having issues with the popup calendar feature in CF11 or 2016? There's a fix

Mon, 17 Jul 2017 14:55:00 -0500

If you're using the cfinput type="datefield" feature to popup a calendar and are finding that it's a) not working *at all* in ColdFusion 2016 or b) it showing up but not *correctly* after ColdFusion 11 update 12 or ColdFusion 2016 update 4, there's a fix for both. The first problem was introduced in the CF2016 installer released in Dec 2016, and any after that, where Adobe has literally removed the library used for the calendaring, but you can add it back, as I discuss below. (If you install or installed CF 2016 from the original installer in Feb 2016, you won't see this problem as it wasn't removed then.) The second problem was introduced in those two named updates, and was fixed in the very next updates (CF11 update 13 or CF2016 update 5). And of course, this could also happen if you're moving to CF11 or 2016 for the first time, and someone else had "fully updated" those to that update level before you started testing against it. If you'd like to know more, read on. [More]

How to solve common problems with applying ColdFusion updates

Tue, 06 Sep 2016 13:15:00 -0500

Has this happened to you: you want to apply some update to your current version of CF--and it fails. Ugh. While the ColdFusion admin has a simple update UI mechanism, what can you do if the update fails to apply? Indeed, how can you know if it DID fail? how can you recover? what might you do to prevent a failure? The answers may be simple on the surface, but not obvious to most. And you'll likely be in panic mode. Many find after applying a ColdFusion update that either CF won't start at all, or they can't access the ColdFusion Admin, or some part of CF or their app doesn't work. Or perhaps the problem may not become clear for hours or even days. Typically the issue is that there was an error during the update process which CF attempts, and that might be rather easily confirmed and resolved. In this post, I share several tips and observations related to all this, based on my years of providing remote CF troubleshooting support. [More]

New updates for Coldfusion 11, 10, and 9 (security update for 9, 11; still more for 10)

Tue, 14 Oct 2014 18:05:00 -0500

If you'd not heard the news, there were several updates released today, for CF 11, 10, and 9. As for CF11 and CF9, it's mainly a security update. For CF10, it's got quite a bit more. (And there is another update for CF11 to come in the future which Adobe mentioned when it came out with its first update last month.) For more on each, see below. [More]

Applying hotfixes to ColdFusion 9 and earlier? A guide to getting it right

Fri, 14 Mar 2014 10:37:00 -0500

I realize that title may seem anachronistic. Why talk about hotfixes in CF9 and earlier, in 2014, indeed as CF11/Splendor is in beta? But I'll tell you that I still help people daily who are still on those older releases, and often they have problems that may have long since been solved by a hotfix or a cumulative hotfix they never applied--or may be caused by misapplication of such hotfixes. Of course, in CF10 it's easier now because of the built-in "server updates" feature of the CF Admin. But in earlier releases, it was all on you to both keep up on the updates and to apply them manually. And a lot of people either never bothered, or may have tried and failed, or did it but got it wrong.

What you need to know

So in this blog entry, I some key info that will help you, if you may be in need of applying one or more of those updates to CF9 and earlier. Indeed, I'll point to some past entries I've done where I shared a lot more detail that I find is vital and rarely mentioned when some people try to share just the bare minimum of info (often leaving people hanging). For instance, I'll help you answer such questions as what hotfixes do you already have applied? How do you find out? And you need to know exactly what version of CF you have, whether 9.0/9.0.1/9.0.2, 8.0/8.0.1, 7.0/7.0.1/7.0.2, and so on. I'll explain how to tell and why that's important, and especially when it comes to finding and applying hotfixes. And if you have applied hotfixes, are you sure you have done it right? It's easy to get things wrong and botch things. I'll help you avoid several very common mistakes. (That's why it's so great that CF10 finally handles things for us. But this entry, focused on 9 and earlier, is not the place to discuss concerns with the CF10 hotfix mechanism. If you have questions or concerns about that, see the substantial CF10 Hotfix Installation Guide from Adobe, a 50-question FAQ on all things related to that feature.) I'll also point you to where to find hotfixes and installers for CF9 and earlier (not as easy as it may seem), and still more. If any of that's of interest, and I hope it is if you're on CF9 or earlier, then read on. [More]

Note that ColdFusion 10 Update 13 is "needed" for OS X-only...and some confusion

Sat, 11 Jan 2014 18:15:00 -0500

Some of you may have seen that Adobe released a new hotfix for ColdFusion 10 last night, called Update 13. If you only read the text in the update (shown in the "Server Update" page of the CF admin), you might proceed to apply that update (which is ok). But guess what: it technically only has changes related to Mac OS X (specifically adding support for its Mavericks version). This is addressed if you read the technote that the update text points to, or the Adobe blog entry from last night which announced the update (more on these in a moment.) Those DO indicate that if you are not running that OS, you need not apply the update. (And the day after I wrote this entry, this indication was added to the update text itself.) But what if you are on Windows (or another *nix variant besides OS X)? Should you apply it? What if you do? (there's NO PROBLEM!) What if you don't? And given that the update text says you need to reconfigure the web server connector, do you really need to bother on Windows? And what if you are installing CF10 for the first time, since you DO need to apply updates upon installation? (you can either apply update 13 or 12, but you must apply at least one of them to be fully updated.) As important, how might Adobe have better clarified this~~, and how might they make a simple change now related to that~~ (they since did)? I address in this entry these questions and a few other concerns I have, about confusion that may ensue. [More]

Still more reasons to make sure you have updated your ColdFusion 10 web server connector

Fri, 08 Nov 2013 03:45:00 -0500

Several weeks ago, I did an entry, CF911: Why/when you MUST update the web server connector for #ColdFusion 10, and may have missed it. In this entry, I want to throw in another reason why it's important to make sure you properly update (reconfigure/rebuild/upgrade) your web server connector after applying certain CF10 updates, or if applying only the latest update for the first time to a newly installed CF10 instance. [More]

CF911- Why/when you MUST update the web server connector for ColdFusion 10/11 and may have missed it

Fri, 13 Sep 2013 01:51:00 -0500

Have you installed or updated CF10 (or 11) and found that you still have problems with it running right, even when you have "fully updated" CF10? In this blog entry, I explain how it may NOT be that "CF 10 is broken" but rather that you may have missed an important step when updating it. In brief, a VERY common problem is that while they MAY WELL have applied the provided "updates" for CF, folks often do NOT notice that they may have to (and generally must) "update" the web server "connector" (if they are using an external web server, like IIS or Apache) as a separate manual step, after applying the update. I explain here what that means, how do to it, and why you may miss that you need to. Update in 2019:

Since writing this entry, I did one in 2019 on When and how to upgrade CF web server connector, easier since CF2016, which at least makes it EASIER to upgrade, though much of what I write here still applies. I also updated this post since originally writing it, in ways discussed below.

(Or if you'd rather just have me help you quickly help you analyze and rectify your situation, whether with regard to the connectors or any other CF server troubleshooting, I can do that in a brief consulting session, likely less than an hour, remotely and securely. I provide all the detail here for those who prefer to "go it on their own". For more on my consulting services, including rates, approach, satisfaction guarantee, and more, see the consulting page at carehart.org.) [More]

Speaking at Atlanta ColdFusion User Group tonight on 2 important topics

Wed, 12 Jun 2013 17:20:00 -0500

Just wanted to note that I'll be speaking tonight at the Atlanta CFUG on two important topics:

For more details on the talks, or to get the slides once I post them (likely right after the meeting), please see the links for the two sessions above. And if you may want to attend, please RSVP. I may offer these later on the Online ColdFusion Meetup or perhaps one of the remaining CF conferences this year, if I may be selected to speak.

Java now has a built-in expiration date. What that's about (not obvious at first)

Tue, 11 Jun 2013 14:53:00 -0500

If you may have looked at the release notes for the latest (as of this writing) JVM update (Java 1.7 update 21), you may have noticed that it refers to an "expiration date" for this version of the JVM. What's that about, you may wonder? [More]

CF911 - New Adobe document about ColdFusion security hotfixes, required reading, I'd say

Tue, 21 May 2013 00:12:00 -0500

Here's a new document from Adobe (new as of last week, it seems) that you may have missed, but which I would argue is REQUIRED READING for all CF admins and developers: Important hotfix-related notes for ColdFusion 9 and ColdFusion 10 What is this about? and why is it important? Read on below, as the document itself and current links from Adobe don't quite convey its significance, I think. For more perspective, I discuss below both what has happened to many folks after applying ColdFusion security hotfixes in recent years, and how this document helps. [More]

Part 3 - Adobe hotfix released for "Serious security threat for ColdFusion servers"

Tue, 15 Jan 2013 21:03:00 -0500

Adobe has come out with a new security hotfix for a very serious attack on ColdFusion servers which had hit many (perhaps most) CF shops over the past couple of weeks, and it's vital that all shops apply that fix. (Even if you think you've protected yourself in other ways There is a new Adobe CF blog entry pointing to the new hotfix, and I point that out rather than the technote for the hotfix itself, because as often is the case, there has been some useful discussion related to applying the fix. ~~Indeed, there's a warning I've shared there about a problem (hopefully temporary) with the hotfix file for users of ColdFusion 9.0.2~~. (Update: the confusion about 9.0.2 is resolved. The technote has been corrected. See the comments in the Adobe blog entry for more details.) Users of ColdFusion 10, 9.0.2, 9.0.1, and 9.0 should certainly proceed to implement the fix. I address several questions and other observations about this hotfix below. [More]

Part 2 - Serious security threat for ColdFusion servers [now covered by a hotfix]

Wed, 02 Jan 2013 21:59:00 -0500

Since I posted my entry earlier today about a Serious security threat for #ColdFusion servers [~~not~~ now covered by a hotfix], I have had many questions and discussions which lead me to share more info. At first I was adding these as updates to the previous entry, but I fear that some who may have read it earlier in the day may then miss some of this new info, thus this "Part 2". You will definitely want to read part 1 before proceeding here. [Update: And since writing this entry 2 weeks ago, Adobe has indeed now come out with a hotfix. I have more to say about that in the new Part 3: Adobe hotfix released for "Serious security threat for #ColdFusion servers". While you should proceed to get that fix in place, you'll likely benefit from reading parts 1, 2, and 3, as there's more discussed than just the thread and fix, itself, which could benefit you down the road.] Among the new information shared below are such things as how the hack worked (not too much detail, though), how to determine what the exploit may have exposed, how to handle resolving things for many sites via scripting, how to lock down the /adminapi, /administrator, and /componentutils directories, and most important, why you should not skip all this just because "we already block all access to the CFIDE/adminapi" (and /administrator and /componentutils)". There may be exposure you're not considering. [More]

Serious security threat for ColdFusion servers [now covered by a hotfix]

Wed, 02 Jan 2013 13:35:00 -0500

Hey folks, there's a fairly serious security threat out in the wild, and you may want to check if your server's been hit. (It may be old news to some, but for now it's hitting people in the past week or so.) It's been confirmed to have hit at least CF9 (9.01 and 9.0.2) servers, but it seems it would apply to as well to CF10 or down to CF 7, as it leverages the Admin API. ~~And note that it's NOT one that you're protected against by having applied CF security hotfixes.~~ (Updated Jan 15 2013, as Adobe now has a hotfix for this. More below.) There's quite a bit for you to consider regarding this recent threat, as I discuss here. [More]

How to tell what, if any, hotfixes have been applied to ColdFusion (9 and earlier)

Mon, 18 Jun 2012 14:34:00 -0500

I often see people struggling with confusion over what hotfixes have been applied to CF. They may wonder "which have we applied?", or worse, they may not have applied any and just don't know "how to know" whether they have. I have good news, but it may not be the answer most would suspect. The common answer offered is that one should use the "system info" page in the CF Admin, and its available "update level" field. But I will assert that's not the "right answer" after all, or certainly not the "best answer" to really know what hotfixes (plural) have been applied. Know why? If not, I'll explain here, and I'll show what I would say is the "right" answer to "what hotfixes have you applied?" [More]