ColdFusion (2021 release) Update 11

ColdFusion (2021 release) Update 11

Security recommendations

For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.  

Alert:

Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.

What's new and changed

ColdFusion (2021 release) Update 11 (release date: October 6, 2023) includes bug fixes and enhancements in Administrator, Installer, Migration, Package manager, Database, and other areas. The update contains upgrades to Tomcat (v9.0.78) and other libraries, such as jackson-databind, Netty, etc. Note that this update is cumulative and includes fixes from the previous updates.

With this update, we are upgrading the library jackson-databind from 2.9.8 to 2.15.0. This library version does not support POJO deserialization of java.time.* .The objects return NULL objects, which leads to data loss from aws dynamodb and azure service bus. See the bug fix section for more information.

If you are on Java 11.0.20 or higher, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar

From Update 12 onwards, you need not use the flag.

Note:

The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.

To install previous updates, see ColdFusion (2021 release) updates.

Note:

In this update, for security reasons, the access to the Administrator to the connector port is blocked.

Topics in this document:

Removal of cflogging.jar

The cflogging.jar file isn't automatically removed after you apply the update, even though we've removed the file from cfusion/lib.

Ensure that you remove the file manually.

Package update workflow enhancements

From the next update onwards, while installing packages, ColdFusion checks the version of the core, and installs the package compatible with the core version instead of installing the latest package directly.

ColdFusion asks you for confirmation when the core server gets upgraded or downgraded.

View the Install scenarios in the ColdFusion Package Manager documentation for more information.

Library upgrades in this release

Library Previous version New version
Tomcat 9.0.74 9.0.78
jackson-databind/jackson-mapper
2.8.8 2.15.0
netty (web sockets) 3.5.8 3.9.9
netty (cloud services) 4.1.45 4.1.89
Jetty 9.4.31 9.4.51
cxf-core/cxf-rt-frontend-jaxrs/cxf-rt-rs-client
3.0.16 4.0.1
imageio-metadata
3.3.2 3.9.4
java-xmlbuilder
1.1 1.3
commons-fileupload
1.4 1.5
log4j 2.17.2 2.20.0
pebble 2.5.0 3.2.1
esapi.jar
2.2.1.1 2.5.1.0
jquery-ui 1.13.1 1.13.2

Generate activation request using Admin APIs

In this update, we've introduced Admin APIs to activate and deactivate ColdFusion.

Note:

Ensure that you enable RDS first before accessing the activation functions.

activateNow

Activates ColdFusion using the new serial key.

Syntax

activateNow (string currentSN, string prevSN)

Parameters

Parameter Required/Optional Description
currentSN Required The new serial number.
prevSN Optional The previous serial number.

Example

<cfscript>
    // Login is always required.
    adminObj = createObject("component","cfide.adminapi.administrator")
    adminObj.login("PASSWORD");  //CF admin password.
    previousSN="previous serial number"
    currentSN="new serial number"
    // instantiate the object
    myObj=createObject("component","CFIDE.adminapi.license")
    // activate the new serial number
    try{
        myObj.activateNow(currentSN,previousSN)
        writeOutput("Successfully activated ColdFusion with the new serial number")
    }
    catch(any e){
        writeDump(e)
    }
</cfscript>

deactivateNow

Deactivates ColdFusion in the online mode.

Syntax

deactivateNow()

Example

<cfscript>
    // Login is always required.
    adminObj = createObject("component","cfide.adminapi.administrator")
    adminObj.login("PASSWORD");  //CF admin password.
    // instantiate the license object
    myObj=createObject("component","CFIDE.adminapi.license")
    // deactivate ColdFusion
    try{
        myObj.deactivateNow()
        writeOutput("Successfully dectivated ColdFusion.")
    }
    catch(any e){
        writeDump(e)
    }
</cfscript>

New attributes in the Exchange tags

We've added new attributes username, password, and server for authentication in the following Exchange tags:

Connector-related enhancements

Wsconfig update now creates a backup of the modified files. For example, the following files are backed up:

  • mod_jk.conf
  • mod_jk.so
  • workers.properties

Changes in CFHTTP method

In previous releases, when you executed a CFHTTP GET request and pass the body with CFHTTPPARAM, the body would get stripped and was not sent with the GET request.

This update ensures that the body is not stripped.

Bugs fixed in this update

Bug ID Description Component
CF-4219159

In this update, we’ve upgraded jackson-databind 2.9.8 to 2.15.0. The new version does not support POJO deserialization of java.time.*. The objects return NULL objects, which leads to data loss from awsdynamodb and azureservicebus.

AWS Service Bus example:
_SBClient = getCloudService(application.SBConstants.serviceBusCred, application.SBConstants.serviceBusConf)
 topicRef = _SBClient.getTopic(topicName)
 topicRuntimeInfo = _SBClient.getTopicRuntimeInfo(topicRef.getPath())
 writedump(topicRuntimeInfo)

Cloud Services: Azure Service Bus
CF-4217635
Coldfusion fails to load the custom Barcode font.
ColdFusion Package: Htmltopdf
CF-4216051
After applying Update 5 to ColdFusion (2021 release), when generating a PDF using the CFHTMLTOPDF tag, the extended ASCII characters are returned with the wrong encoding when the CFHTMLTOPDF tag is within a CFC function. The encoding is correct when the tag appears on a regular CFM page.
Document Management: PDF Generation (CFHTML2PDF)
CF-4211764
<cfhtmltopdf> generates a blank pdf when a custom font is used.
Document Management: PDF Generation (CFHTML2PDF)
CF-4211569
A session is not saved to Redis when adding a component struct or array with an unquoted true or false value.
Core Runtime: Session Management
CF-4218184
The update mysql package description to specify that mysql package does not help you to create a MYSQL community datasource.
Database
CF-4218176
We've updated the error message to reflect that a ColdFusion installation no longer includes the standalone MySQL JDBC driver.
Administrator
CF-4217838
A cfquery statement can clear a temp table, perform an operation on the temp table, then clear it again, and return values in the Macromedia driver. The same is not replicated in the MS JDBC driver.
Database
CF-4215843

After upgrading to MySQL 8, if you execute the custom tag cfdbinfo that contains a table with an underscore in the table's name, the execution fails. For example, the script below fails.

<cfdbinfo datasource="#Datasource#" name="DBName" type="columns" table="table_groupOne" />

<cfdump var="#DBName#">

Database
CF-4215129
Sometimes, a SOAP webservice with cfinvoke or cfscript does not work as expected.
Web Services
CF-4211276

After a ColdFusion migration, a few date functions started behaving unexpectedly. For example, the following function throws an error after migration.

DateFormat(queryname.datecolumnname) throws "Error The value class java.time.LocalDateTime cannot be converted to a date."

Database
CF-4205971
Sometimes, Apache behaves unexpectedly when a request takes longer than usual. As a workaround, update heartbeat_interval=0 or replace mod_jk.so using the instructions in this document. Installation/Config: Connector
 
CF-4218421
When attempting to send email using SendGrid SMPTP server with TLS settings configured, ColdFusion throws an error message.
Mail
CF-4218140
Sometimes, on executing a query, ColdFusion throws the error, [Macromedia][SQLServer JDBC Driver]This driver is locked for use with embedded applications.
Database
CF-4216526
An error occurs when you try to display the results of a stored procedure in PostgreSQL 13 using the cfprocresult tag. Database
CF-4212837
Executing the Docker image (public.ecr.aws/adobe/coldfusion:latest) with the environment variable (installModules="ajax") does not install the Ajax module.
CF Docker
CF-4212391
CFReport does not work as expected after an update and throws an error. CFReport
CF-4217130
Implicit struct creation causes keys to be generated that are case-sensitive.
Language
CF-4215479
Using the cfdocument tag with encryption attribute results in Class not found exception.
Document management
CF-4214540
The InitSAMLAuthRequest function returns a Null Pointer Exception intermittently.
SAML integration
CF-4214518
An error occurs in the ColdFusion 2021 docker image while running cfcompile on cfreport tags.
ColdFusion Docker image
CF-4212860

In the createDateTime function, ColdFusion does not validate the following string representations of the date February 29 during a leap year. An error message follows.

"Sat Feb 29 17:00:00 AEDT 2020", "Mon Feb 29 17:00:00 AEDT 2016", or "Wed Feb 29 17:00:00 AEDT 2012"

DateTime functions
CF-4212735

When you run wsconfig -ws apache -dir C:\Apache24\conf -bin C:\Apache24\bin\httpd.exe -v to create an Apache connector, the following error message appears:

Could not determine Apache control script file.

Connector
CF-4212696
Intermittent error with ColdFusion 2021 AWS image after update 3.
AWS image
CF-4212581

The following CLI command throws an exception:

cf-cli>queryExecute("SELECT * FROM artists", {},

     {datasource="cfartgallery"}

);

CLI: REPL
CF-4212489
Azure Blob file upload sets the content-type to application/octet-stream by default. New attributes are introduced for the same. Please refer to the ColdFusion Azure blob documentation.
Azure Blob Storage
CF-4212245
cfsetup utility : exporting/importing coldfusion runtime settings fails ifsession key (cfloginusesessionstorageredis) is set.
CFSetup
CF-4212182

Certain ColdFusion applications take more time to compile in ColdFusion 2021. The following optimizations are done in ColdFusion 2021 for better performance:

  • Class files writing to disk made asynchronous
  • Optimized a synchronized block
  • Lookaheads were optimized to do integer-based token comparison rather than String based.
Language server
CF-4211229 The cfspreadsheet tag locks a file when performing operations on HTML and CSV file formats. Spreadsheet
CF-4208163
Specifying offset and maxRows in ormSettings simultaneously results in a hibernate error.
ORM support
CF-4217842
You cannot activate the ColdFusion Server on command box container which is deployed on AWS Fargate serverless.
License and activation
CF-4215855
Each time you restart the ColdFusion services, ColdFusion fails to load the cfc. An error message follows.
CFC
CF-4215586
Redis sessions lose stored objects that have fields with a decimal number. Redis Session Storage

ColdFusion JDK flag requirements

COLDFUSION 2021 (version 2021.0.0.323925) and above

For Application Servers   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.

For example:   

  • Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   
  • WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file   
  • WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.  

Pre-requisites

  1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
  2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
    • http.proxyHost
    • http.proxyPort
    • http.proxyUser
    • http.proxyPassword
  3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

Installation

ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.

After it detects an update, click Update. The core package gets updated with the latest update.

All installed packages that needs an update get updated.

Restart ColdFusion for the changes to take effect.

Note:

After installing Update 11, must upgrade the connectors.

View the following for more information.

Install the update in offline mode manually

  1. Download the hotfix installer from the link.
  2. Unzip the repository to a place where all ColdFusion server instances can access it.
  3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.

If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).

You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

  • Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-011-330247.jar
  • Linux-based platforms: <cf_root>/jre/bin/java -jar  <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-011-330247.jar

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account with permission to restart ColdFusion services and other configured webservers .

For further details on manually updating the application, see the help article.

Note:

Updating the core package updates all the packages that were downloaded. Also, updating any package updates the core and the rest of the packages. If ColdFusion (2021 release) is on Update 1, installing Update 11 via the admin of any instance updates the core for all other instances.

Similarly, uninstalling the update from the same instance uninstalls the updates from instances that were updated together.

Post installation

Note:

After applying this update, the ColdFusion build number should be 2021.0.11.330247.

Uninstallation

To uninstall the update, perform one of the following:

  • In ColdFusion Administrator, click Uninstall in Server Update Updates Installed Updates.
  • Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00011-330247/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

  1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
  2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00011-330247}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration

2021 Update Connector recreation required
Update 11

Yes

View the following for more information.

Update 10 No
Update 9 No
Update 8 No
Update 7 No
Update 6 No
Update 5 No
Update 4 No
Update 3 No. You need not upgrade the connector if you had already upgraded the connector in Update 2.
Update 2 Yes
Update 1 Yes

Packages updated

Update Packages updated
Update 11 Yes
Update 10 No
Update 9 No
Update 8 No
Update 7 No
Update 6 Yes
Update 5 Yes
Update 4 Yes
Update 3 Yes
Update 2 Yes
Update 1 Yes

Get help faster and easier

New user?