ColdFusion (2021 release) Update 2

ColdFusion (2021 release) Update 2

What's new and changed

ColdFusion (2021 release) Update 2 (release date, 14 September, 2021) addresses vulnerabilities that are mentioned in the security bulletin, APSB21-75, and features the following:

Note: The ColdFusion 2021 installers have also been refreshed with this update. The new server installers bundle Update 2 and JDK 11.0.11. The ColdFusion Add-Ons and other installers are bundled with JDK 11.0.11. The refreshed installers are available at ColdFusion downloads.

Licensing and activation changes

Usage data

Send usage data to Adobe ColdFusion licensing servers. For more information, see ColdFusion licensing and activation.

Auto restart instances

Enable if you want the instances to be automatically restarted after activation, deactivation, or changing usage data settings.

ColdFusion AWS Lambda Package

With AWS Lambda package in ColdFusion, you can now invoke cloud based AWS Lambda functions from ColdFusion server. For more information, see get started with ColdFusion AWS Lambda.

For more information, see get started with ColdFusion AWS Lambda.

GUI-based installer changes

The ColdFusion (2021 installer) no longer contains weinre. The change applies to all supported platforms. As a workaround, follow the steps below to setup a local Node server and remote Weinre server:

  1. Install nodejs and weinre.
  2. Download weinre zip and rename it as "node". Copy the file in ColdFusion2021/cfusion.
  3. Platform-specific steps:
  • Non windows: Create a folder called "weinre" inside node and place all the content of "node" folder inside weinre.
  • Windows: Create a folder called "node-module" inside node and weinre inside "node-module",  and copy all the content of "node" folder inside weinre.

CFsetup updates

In Update 2, CFsetup includes the following changes:

  1. Add and manage users. Users can also be granted access to roles and sandboxes.
  2. Add or remove sandbox, set security, block IPs, grant runtime permissions, or block operations.

For more information, see CFsetup configuration tool.

Bugs fixed in this release

Bug ID

Description

Component

CF-4211556

After running one task after another, the On Complete option of a scheduled task is no longer visible in the ColdFusion Administrator

Administrator

CF-4211179

Unable to save Server Settings due to an invalid default value for the option Maximum Pool Size.

Administrator

CF-4205963

Redis Sessions must support SSL/TLS connection over port 6380.

Administrator : Administrator Console

CF-4209616

The SOLR interface has issues with NL locale.

Administrator : Localization

CF-4207973

An exception appears when you dump the results of the function cacheGetAllIds().

Caching

CF-4211954

Some code samples for AWS SNS do not work a expected.

Cloud services

CF-4211482

Unable to install the latest PDF add-ons for Docker.

Containers: Docker

CF-4211421

If the neo-datasource.xml file has the following, then after applying Update 11, 17, or 1, then the ColdFusion Data Source service is unavailable.

Database: General

CF-4210974

After installing ColdFusion, the ODBC Server and ODBC Agent services do not start as expected.

Database: ODBC

CF-4211538

Temporary columns in an ORDER BY clause will be randomly returned in QoQ result set even if they aren’t specified in a SELECT statement.

Database : Query-of-Query(IMQ)

CF-4211472

Locally scoped table names in a Query of Query throws an internal error.

Database : Query-of-Query(IMQ)

CF-4202730

In a query, if you select names with order, the order of names is not as expected.

Database : Query-of-Query(IMQ)

CF-4211229

When using cfspreadsheet to read a file, ColdFusion locks the file.

Document Management : Spreadsheet

CF-4206450

The url for installer docs redirects incorrectly.

Documentation

CF-4210968

ColdFusion 2021 docs mentioning features requiring package must be re-worded in some cases.

Documentation : General

CF-4208032

When copying a file to an AWS S3, the copy operation fails.

File Management : VFS-S3

CF-4211415

The ColdFusion installer does not pick a new port for cfstatport, if the port is already in use

Installation/Config

CF-4210910

On Docker, the installation paths for ColdFusion 2018 and ColdFusion 2021 are different.

Installation/Config

CF-4210996

In some cases, wsconfig causes an error and does not create the connector as expected.

Installation/Config : Connector

CF-4210937

After using ColdFusion 2021 (Japanese installer) and creating the connector with ALL, ColdFusion pages throw Error 404.

Installation/Config : Connector

CF-4210922

Installing ColdFusion also installs ODBC even if the option to install ODBC is disabled.

Installation/Config : Installer

CF-4211830

For complex variable bindings, the final keyword is not honored.

Language

CF-4211478

Erroneous 'final variable modification' exception on arrow function initializer in component mixin.

Language

CF-4212023

If a ColdFusion page does not have a cfapplication tag, the default behavior is to convert formfields with commas into array.

Language

CF-4209676

Function parameters are parsed incorrectly when passing an un-braced arrow-function literal as an argument.

Language : CFSCRIPT

CF-4211579

When you dump a cfcatch object, you get, in addition of the dump, the exception "The getMetaData method was not found".

Language

CF-4211442

Complex object types cannot be converted to simple values

Language

CF-4211070

cfjava/java{} integration does not work as expected with javaSettings loader.

Language

CF-4211248

ColdFusion (2021 release) doesn't function as expected with jsoup element attributes using asList() or iterator().

Language

CF-4211626

An error occurs when attempting to push to a java.util.Stack.

Language : Java Integration

CF-4211423

New cfjava/java{} Integration compile error due to cfsetting enablecfoutputonly="Yes"

Language : Java Integration

CF-4205189

The toString() member function incorrectly returns the memory location instead.

Language : String Functions

CF-4210631

ORM does not support Object[] types as expected.

ORM Support

CF-4211228

Application metadata is not thread safe under high concurrency (ConcurrentModificationException)

Performance

CF-4211113

Every page request calls getRealPath()as part of PathFilter.invoke(), which results in a touch to the file system.

Performance

CF-4211876

Mismatch in argument type after installing Update 11 from Update 10 of ColdFusion (2018 release).

REST

Known issues in this release

  1. You are unable to start/stop an instance from the ColdFusion Administrator. As a workaround, ensure that the jvm.config file at <cfroot>/cfusion/bin does not have the -Xdebug java argument configured.
  2. On macOS Big Sur, if you start Apache after configuring a connector, you see a warning message, "No code signing authority for module at /private/etc/apache2/mod_jk.so specified in LoadModule directive. Proceeding with loading process, but this will be an error condition in a future version of macOS."
  3. If you do not have internet access, then on using the REPL mode, you may see a few license-connectivity related logs.
  4. CFM applications that render text encounter an error related to libfontmanager. Oracle JDK-11.0.10 and later for Solaris 11 requires the OS to provide the text shaping library package, Harfbuzz. Release Notes | Download package.
  5. When the multicast port is busy in your environment, there will be errors in logs after restarting the instances that are part of a cluster. To resolve the issue, in the ColdFusion Admin, change the multicast port in the Cluster Manager page.
  6. When applying this update from Update 2 of ColdFusion 2021 through the Administrator, at present, there is no option to select the instances. All the instances will be updated.
  7. Connecting to a MySQL database fails for AWS MySQLon Oracle JRE. After verifying the connection, an error message displays. The issue occurs because the MySQL JDBC driver is unable to connect to SSL over TLS. As of MySQL 5.7.35, as the TLSv1 and TLSv1.1 connection protocols are deprecated. As a workaround, add the parameter enabledTLSProtocols to the jdbc url.
  8. Oracle Java in ColdFusion installers have TLS 1.0 and 1.1 disabled. TLS 1.0 and 1.1 have been deprecated and have been replaced with TLS 1.2 and 1.3. By default, the older versions of TLS are disabled in Java. These versions have now been disabled by default.
  9. Same form fields are treated as arrays when used in Application.cfc. The fields are not part of any UDF or eventhandlers of Application.cfc, even when you set or do not set the flag this.sameformfieldsasarray.
  10. The ColdFusion installer does not pick a new port for cfstatport, if already in use. As a workaround, update the cfstatport value in <cfroot>/lib/neo-metric.xml to 7991 and restart the server.
  11. On a non-Windows platform, while sending message with WebSocket Proxy, if the message contains semi-colons, you must refresh the browser before viewing the message.
  12. If you are installing ColdFusion on macOS, you may encounter issues. As a workaround, before launching the installer, run xattr -rc against the dmg.
  13. When storing a result set in a ColdFusion scope (like local or arguments) and then attempting to run a query of queries on that result set, ColdFusion 2021 produces an error.

Prerequisites

  1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
  2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
    • http.proxyHost
    • http.proxyPort
    • http.proxyUser
    • http.proxyPassword
  3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

Installation

ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.

After it detects an update, click Update. The core package gets updated the the latest update.

All installed packages also get updated.

Restart ColdFusion for the changes to take effect.

Install the update in offline mode manually

  1. Download the hotfix installer and repository from the link.
  2. Unzip to a place where it can be accessed by all ColdFusion server instances.
  3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.

If the core server hotfix installation is successful and if there are errors  or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).

You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

  • Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-002-328618.jar
  • Linux-based platforms: <cf_root>/jre/bin/java -jar  <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-002-328618.jar

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .

For further details on how to manually update the application, see the help article.

Note:

Updating the core package updates all the packages that were downloaded. Also, updating any package updates the core and rest of the packages. If ColdFusion (2021 release) is on Update 1, installing Update 2 via the admin of any instance updates the core for all other instances present.

Similarly, uninstalling the update from the same instance uninstalls the updates from instances that were updated together.

Note:

If you've created a mapping of the cf_scripts folder, you must copy the contents of the downloaded zip into CF_SCRIPTS/scrips/ajax folder to download the ajax package.

After applying the update, you must upgrade the existing web server connectors.

Post installation

Note:

After applying this update, the ColdFusion build number should be 2021,0,02,328618.

Uninstallation

To uninstall the update, perform one of the following:

  • In ColdFusion Administrator, click Uninstall in Server Update Updates Installed Updates.
  • Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00002-328618/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

  1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
  2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00002-328618}/backup directory to {cf_install_home}/{instance_name}/

 Adobe

Get help faster and easier

New user?