ColdFusion (2021 release) Update 11
Security recommendations
For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.
Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.
What's new and changed
ColdFusion (2021 release) Update 11 (release date: October 6, 2023) includes bug fixes and enhancements in Administrator, Installer, Migration, Package manager, Database, and other areas. The update contains upgrades to Tomcat (v9.0.78) and other libraries, such as jackson-databind, Netty, etc. Note that this update is cumulative and includes fixes from the previous updates.
With this update, we are upgrading the library jackson-databind from 2.9.8 to 2.15.0. This library version does not support POJO deserialization of java.time.* .The objects return NULL objects, which leads to data loss from aws dynamodb and azure service bus. See the bug fix section for more information.
If you are on Java 11.0.20 or higher, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar
From Update 12 onwards, you need not use the flag.
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2021 release) updates.
In this update, for security reasons, the access to the Administrator to the connector port is blocked.
Topics in this document:
Package update workflow enhancements
From the next update onwards, while installing packages, ColdFusion checks the version of the core, and installs the package compatible with the core version instead of installing the latest package directly.
ColdFusion asks you for confirmation when the core server gets upgraded or downgraded.
View the Install scenarios in the ColdFusion Package Manager documentation for more information.
| Library | Previous version | New version |
| Tomcat | 9.0.74 | 9.0.78 |
| jackson-databind/jackson-mapper |
2.8.8 | 2.15.0 |
| netty (web sockets) | 3.5.8 | 3.9.9 |
| netty (cloud services) | 4.1.45 | 4.1.89 |
| Jetty | 9.4.31 | 9.4.51 |
| cxf-core/cxf-rt-frontend-jaxrs/cxf-rt-rs-client |
3.0.16 | 4.0.1 |
| imageio-metadata |
3.3.2 | 3.9.4 |
| java-xmlbuilder |
1.1 | 1.3 |
| commons-fileupload |
1.4 | 1.5 |
| log4j | 2.17.2 | 2.20.0 |
| pebble | 2.5.0 | 3.2.1 |
| esapi.jar |
2.2.1.1 | 2.5.1.0 |
| jquery-ui | 1.13.1 | 1.13.2 |
Ensure that you enable RDS first before accessing the activation functions.
activateNow
Activates ColdFusion using the new serial key.
Syntax
activateNow (string currentSN, string prevSN)
Parameters
| Parameter | Required/Optional | Description |
| currentSN | Required | The new serial number. |
| prevSN | Optional | The previous serial number. |
Example
<cfscript>
// Login is always required.
adminObj = createObject("component","cfide.adminapi.administrator")
adminObj.login("PASSWORD"); //CF admin password.
previousSN="previous serial number"
currentSN="new serial number"
// instantiate the object
myObj=createObject("component","CFIDE.adminapi.license")
// activate the new serial number
try{
myObj.activateNow(currentSN,previousSN)
writeOutput("Successfully activated ColdFusion with the new serial number")
}
catch(any e){
writeDump(e)
}
</cfscript>
deactivateNow
Deactivates ColdFusion in the online mode.
Syntax
deactivateNow()
Example
<cfscript>
// Login is always required.
adminObj = createObject("component","cfide.adminapi.administrator")
adminObj.login("PASSWORD"); //CF admin password.
// instantiate the license object
myObj=createObject("component","CFIDE.adminapi.license")
// deactivate ColdFusion
try{
myObj.deactivateNow()
writeOutput("Successfully dectivated ColdFusion.")
}
catch(any e){
writeDump(e)
}
</cfscript>
| Bug ID | Description | Component |
| CF-4219159 |
In this update, we’ve upgraded jackson-databind 2.9.8 to 2.15.0. The new version does not support POJO deserialization of java.time.*. The objects return NULL objects, which leads to data loss from awsdynamodb and azureservicebus. AWS Service Bus example: |
Cloud Services: Azure Service Bus |
| CF-4217635 |
Coldfusion fails to load the custom Barcode font. |
ColdFusion Package: Htmltopdf |
| CF-4216051 |
After applying Update 5 to ColdFusion (2021 release), when generating a PDF using the CFHTMLTOPDF tag, the extended ASCII characters are returned with the wrong encoding when the CFHTMLTOPDF tag is within a CFC function. The encoding is correct when the tag appears on a regular CFM page. |
Document Management: PDF Generation (CFHTML2PDF) |
| CF-4211764 |
<cfhtmltopdf> generates a blank pdf when a custom font is used. |
Document Management: PDF Generation (CFHTML2PDF) |
| CF-4211569 |
A session is not saved to Redis when adding a component struct or array with an unquoted true or false value. |
Core Runtime: Session Management |
| CF-4218184 |
The update mysql package description to specify that mysql package does not help you to create a MYSQL community datasource. |
Database |
| CF-4218176 |
We've updated the error message to reflect that a ColdFusion installation no longer includes the standalone MySQL JDBC driver. |
Administrator |
| CF-4217838 |
A cfquery statement can clear a temp table, perform an operation on the temp table, then clear it again, and return values in the Macromedia driver. The same is not replicated in the MS JDBC driver. |
Database |
| CF-4215843 |
After upgrading to MySQL 8, if you execute the custom tag cfdbinfo that contains a table with an underscore in the table's name, the execution fails. For example, the script below fails. <cfdbinfo datasource="#Datasource#" name="DBName" type="columns" table="table_groupOne" /> <cfdump var="#DBName#"> |
Database |
| CF-4215129 |
Sometimes, a SOAP webservice with cfinvoke or cfscript does not work as expected. |
Web Services |
| CF-4211276 |
After a ColdFusion migration, a few date functions started behaving unexpectedly. For example, the following function throws an error after migration. DateFormat(queryname.datecolumnname) throws "Error The value class java.time.LocalDateTime cannot be converted to a date." |
Database |
| CF-4205971 |
Sometimes, Apache behaves unexpectedly when a request takes longer than usual. As a workaround, update heartbeat_interval=0 or replace mod_jk.so using the instructions in this document. | Installation/Config: Connector |
| CF-4218421 |
When attempting to send email using SendGrid SMPTP server with TLS settings configured, ColdFusion throws an error message. |
|
| CF-4218140 |
Sometimes, on executing a query, ColdFusion throws the error, [Macromedia][SQLServer JDBC Driver]This driver is locked for use with embedded applications. |
Database |
| CF-4216526 |
An error occurs when you try to display the results of a stored procedure in PostgreSQL 13 using the cfprocresult tag. | Database |
| CF-4212837 |
Executing the Docker image (public.ecr.aws/adobe/coldfusion:latest) with the environment variable (installModules="ajax") does not install the Ajax module. |
CF Docker |
| CF-4212391 |
CFReport does not work as expected after an update and throws an error. | CFReport |
| CF-4217130 |
Implicit struct creation causes keys to be generated that are case-sensitive. |
Language |
| CF-4215479 |
Using the cfdocument tag with encryption attribute results in Class not found exception. |
Document management |
| CF-4214540 |
The InitSAMLAuthRequest function returns a Null Pointer Exception intermittently. |
SAML integration |
| CF-4214518 |
An error occurs in the ColdFusion 2021 docker image while running cfcompile on cfreport tags. |
ColdFusion Docker image |
| CF-4212860 |
In the createDateTime function, ColdFusion does not validate the following string representations of the date February 29 during a leap year. An error message follows. "Sat Feb 29 17:00:00 AEDT 2020", "Mon Feb 29 17:00:00 AEDT 2016", or "Wed Feb 29 17:00:00 AEDT 2012" |
DateTime functions |
| CF-4212735 |
When you run wsconfig -ws apache -dir C:\Apache24\conf -bin C:\Apache24\bin\httpd.exe -v to create an Apache connector, the following error message appears: Could not determine Apache control script file. |
Connector |
| CF-4212696 |
Intermittent error with ColdFusion 2021 AWS image after update 3. |
AWS image |
| CF-4212581 |
The following CLI command throws an exception: cf-cli>queryExecute("SELECT * FROM artists", {}, {datasource="cfartgallery"} ); |
CLI: REPL |
| CF-4212489 |
Azure Blob file upload sets the content-type to application/octet-stream by default. New attributes are introduced for the same. Please refer to the ColdFusion Azure blob documentation. |
Azure Blob Storage |
| CF-4212245 |
cfsetup utility : exporting/importing coldfusion runtime settings fails ifsession key (cfloginusesessionstorageredis) is set. |
CFSetup |
| CF-4212182 |
Certain ColdFusion applications take more time to compile in ColdFusion 2021. The following optimizations are done in ColdFusion 2021 for better performance:
|
Language server |
| CF-4211229 | The cfspreadsheet tag locks a file when performing operations on HTML and CSV file formats. | Spreadsheet |
| CF-4208163 |
Specifying offset and maxRows in ormSettings simultaneously results in a hibernate error. |
ORM support |
| CF-4217842 |
You cannot activate the ColdFusion Server on command box container which is deployed on AWS Fargate serverless. |
License and activation |
| CF-4215855 |
Each time you restart the ColdFusion services, ColdFusion fails to load the cfc. An error message follows. |
CFC |
| CF-4215586 |
Redis sessions lose stored objects that have fields with a decimal number. | Redis Session Storage |
ColdFusion JDK flag requirements
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated with the latest update.
All installed packages that needs an update get updated.
Restart ColdFusion for the changes to take effect.
After installing Update 11, must upgrade the connectors.
View the following for more information.
Install the update in offline mode manually
- Download the hotfix installer from the link.
- Unzip the repository to a place where all ColdFusion server instances can access it.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-011-330247.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-011-330247.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account with permission to restart ColdFusion services and other configured webservers .
For further details on manually updating the application, see the help article.
Updating the core package updates all the packages that were downloaded. Also, updating any package updates the core and the rest of the packages. If ColdFusion (2021 release) is on Update 1, installing Update 11 via the admin of any instance updates the core for all other instances.
Similarly, uninstalling the update from the same instance uninstalls the updates from instances that were updated together.
After applying this update, the ColdFusion build number should be 2021.0.11.330247.
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00011-330247/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00011-330247}/backup directory to {cf_install_home}/{instance_name}/
Connector configuration
| 2021 Update | Connector recreation required |
| Update 11 | Yes View the following for more information. |
| Update 10 | No |
| Update 9 | No |
| Update 8 | No |
| Update 7 | No |
| Update 6 | No |
| Update 5 | No |
| Update 4 | No |
| Update 3 | No. You need not upgrade the connector if you had already upgraded the connector in Update 2. |
| Update 2 | Yes |
| Update 1 | Yes |
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online