ColdFusion (2021 release) Update 2
What's new and changed
ColdFusion (2021 release) Update 2 (release date, 14 September, 2021) addresses vulnerabilities that are mentioned in the security bulletin, APSB21-75, and features the following:
- Licensing and activation changes.
- AWS Lambda package.
- cfsetup updates.
- Support for macOS Big Sur (v11.0) and Tomcat 9.0.50.
Note: The ColdFusion 2021 installers have also been refreshed with this update. The new server installers bundle Update 2 and JDK 11.0.11. The ColdFusion Add-Ons and other installers are bundled with JDK 11.0.11. The refreshed installers are available at ColdFusion downloads.
Licensing and activation changes
Usage data
Send usage data to Adobe ColdFusion licensing servers. For more information, see ColdFusion licensing and activation.
Auto restart instances
Enable if you want the instances to be automatically restarted after activation, deactivation, or changing usage data settings.
ColdFusion AWS Lambda Package
With AWS Lambda package in ColdFusion, you can now invoke cloud based AWS Lambda functions from ColdFusion server. For more information, see get started with ColdFusion AWS Lambda.
For more information, see get started with ColdFusion AWS Lambda.
GUI-based installer changes
The ColdFusion (2021 installer) no longer contains weinre. The change applies to all supported platforms. As a workaround, follow the steps below to setup a local Node server and remote Weinre server:
- Install nodejs and weinre.
- Download weinre zip and rename it as "node". Copy the file in ColdFusion2021/cfusion.
- Platform-specific steps:
- Non windows: Create a folder called "weinre" inside node and place all the content of "node" folder inside weinre.
- Windows: Create a folder called "node-module" inside node and weinre inside "node-module", and copy all the content of "node" folder inside weinre.
CFsetup updates
In Update 2, CFsetup includes the following changes:
- Add and manage users. Users can also be granted access to roles and sandboxes.
- Add or remove sandbox, set security, block IPs, grant runtime permissions, or block operations.
For more information, see CFsetup configuration tool.
Bugs fixed in this release
Bug ID |
Description |
Component |
CF-4211556 |
After running one task after another, the On Complete option of a scheduled task is no longer visible in the ColdFusion Administrator |
Administrator |
CF-4211179 |
Unable to save Server Settings due to an invalid default value for the option Maximum Pool Size. |
Administrator |
CF-4205963 |
Redis Sessions must support SSL/TLS connection over port 6380. |
Administrator : Administrator Console |
CF-4209616 |
The SOLR interface has issues with NL locale. |
Administrator : Localization |
CF-4207973 |
An exception appears when you dump the results of the function cacheGetAllIds(). |
Caching |
CF-4211954 |
Some code samples for AWS SNS do not work a expected. |
Cloud services |
CF-4211482 |
Unable to install the latest PDF add-ons for Docker. |
Containers: Docker |
CF-4211421 |
If the neo-datasource.xml file has the following, then after applying Update 11, 17, or 1, then the ColdFusion Data Source service is unavailable. |
Database: General |
CF-4210974 |
After installing ColdFusion, the ODBC Server and ODBC Agent services do not start as expected. |
Database: ODBC |
CF-4211538 |
Temporary columns in an ORDER BY clause will be randomly returned in QoQ result set even if they aren’t specified in a SELECT statement. |
Database : Query-of-Query(IMQ) |
CF-4211472 |
Locally scoped table names in a Query of Query throws an internal error. |
Database : Query-of-Query(IMQ) |
CF-4202730 |
In a query, if you select names with order, the order of names is not as expected. |
Database : Query-of-Query(IMQ) |
CF-4211229 |
When using cfspreadsheet to read a file, ColdFusion locks the file. |
Document Management : Spreadsheet |
CF-4206450 |
The url for installer docs redirects incorrectly. |
Documentation |
CF-4210968 |
ColdFusion 2021 docs mentioning features requiring package must be re-worded in some cases. |
Documentation : General |
CF-4208032 |
When copying a file to an AWS S3, the copy operation fails. |
File Management : VFS-S3 |
CF-4211415 |
The ColdFusion installer does not pick a new port for cfstatport, if the port is already in use |
Installation/Config |
CF-4210910 |
On Docker, the installation paths for ColdFusion 2018 and ColdFusion 2021 are different. |
Installation/Config |
CF-4210996 |
In some cases, wsconfig causes an error and does not create the connector as expected. |
Installation/Config : Connector |
CF-4210937 |
After using ColdFusion 2021 (Japanese installer) and creating the connector with ALL, ColdFusion pages throw Error 404. |
Installation/Config : Connector |
CF-4210922 |
Installing ColdFusion also installs ODBC even if the option to install ODBC is disabled. |
Installation/Config : Installer |
CF-4211830 |
For complex variable bindings, the final keyword is not honored. |
Language |
CF-4211478 |
Erroneous 'final variable modification' exception on arrow function initializer in component mixin. |
Language |
CF-4212023 |
If a ColdFusion page does not have a cfapplication tag, the default behavior is to convert formfields with commas into array. |
Language |
CF-4209676 |
Function parameters are parsed incorrectly when passing an un-braced arrow-function literal as an argument. |
Language : CFSCRIPT |
CF-4211579 |
When you dump a cfcatch object, you get, in addition of the dump, the exception "The getMetaData method was not found". |
Language |
CF-4211442 |
Complex object types cannot be converted to simple values |
Language |
CF-4211070 |
cfjava/java{} integration does not work as expected with javaSettings loader. |
Language |
CF-4211248 |
ColdFusion (2021 release) doesn't function as expected with jsoup element attributes using asList() or iterator(). |
Language |
CF-4211626 |
An error occurs when attempting to push to a java.util.Stack. |
Language : Java Integration |
CF-4211423 |
New cfjava/java{} Integration compile error due to cfsetting enablecfoutputonly="Yes" |
Language : Java Integration |
CF-4205189 |
The toString() member function incorrectly returns the memory location instead. |
Language : String Functions |
CF-4210631 |
ORM does not support Object[] types as expected. |
ORM Support |
CF-4211228 |
Application metadata is not thread safe under high concurrency (ConcurrentModificationException) |
Performance |
CF-4211113 |
Every page request calls getRealPath()as part of PathFilter.invoke(), which results in a touch to the file system. |
Performance |
CF-4211876 |
Mismatch in argument type after installing Update 11 from Update 10 of ColdFusion (2018 release). |
REST |
Known issues in this release
- You are unable to start/stop an instance from the ColdFusion Administrator. As a workaround, ensure that the jvm.config file at <cfroot>/cfusion/bin does not have the -Xdebug java argument configured.
- On macOS Big Sur, if you start Apache after configuring a connector, you see a warning message, "No code signing authority for module at /private/etc/apache2/mod_jk.so specified in LoadModule directive. Proceeding with loading process, but this will be an error condition in a future version of macOS."
- If you do not have internet access, then on using the REPL mode, you may see a few license-connectivity related logs.
- CFM applications that render text encounter an error related to libfontmanager. Oracle JDK-11.0.10 and later for Solaris 11 requires the OS to provide the text shaping library package, Harfbuzz. Release Notes | Download package.
- When the multicast port is busy in your environment, there will be errors in logs after restarting the instances that are part of a cluster. To resolve the issue, in the ColdFusion Admin, change the multicast port in the Cluster Manager page.
- When applying this update from Update 2 of ColdFusion 2021 through the Administrator, at present, there is no option to select the instances. All the instances will be updated.
- Connecting to a MySQL database fails for AWS MySQLon Oracle JRE. After verifying the connection, an error message displays. The issue occurs because the MySQL JDBC driver is unable to connect to SSL over TLS. As of MySQL 5.7.35, as the TLSv1 and TLSv1.1 connection protocols are deprecated. As a workaround, add the parameter enabledTLSProtocols to the jdbc url.
- Oracle Java in ColdFusion installers have TLS 1.0 and 1.1 disabled. TLS 1.0 and 1.1 have been deprecated and have been replaced with TLS 1.2 and 1.3. By default, the older versions of TLS are disabled in Java. These versions have now been disabled by default.
- Same form fields are treated as arrays when used in Application.cfc. The fields are not part of any UDF or eventhandlers of Application.cfc, even when you set or do not set the flag this.sameformfieldsasarray.
- The ColdFusion installer does not pick a new port for cfstatport, if already in use. As a workaround, update the cfstatport value in <cfroot>/lib/neo-metric.xml to 7991 and restart the server.
- On a non-Windows platform, while sending message with WebSocket Proxy, if the message contains semi-colons, you must refresh the browser before viewing the message.
- If you are installing ColdFusion on macOS, you may encounter issues. As a workaround, before launching the installer, run xattr -rc against the dmg.
- When storing a result set in a ColdFusion scope (like local or arguments) and then attempting to run a query of queries on that result set, ColdFusion 2021 produces an error.
Prerequisites
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
Installation
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated the the latest update.
All installed packages also get updated.
Restart ColdFusion for the changes to take effect.
Install the update in offline mode manually
- Download the hotfix installer and repository from the link.
- Unzip to a place where it can be accessed by all ColdFusion server instances.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-002-328618.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-002-328618.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .
For further details on how to manually update the application, see the help article.
Updating the core package updates all the packages that were downloaded. Also, updating any package updates the core and rest of the packages. If ColdFusion (2021 release) is on Update 1, installing Update 2 via the admin of any instance updates the core for all other instances present.
Similarly, uninstalling the update from the same instance uninstalls the updates from instances that were updated together.
If you've created a mapping of the cf_scripts folder, you must copy the contents of the downloaded zip into CF_SCRIPTS/scrips/ajax folder to download the ajax package.
After applying the update, you must upgrade the existing web server connectors.
Post installation
After applying this update, the ColdFusion build number should be 2021,0,02,328618.
Uninstallation
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00002-328618/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00002-328618}/backup directory to {cf_install_home}/{instance_name}/