ColdFusion (2023 release) Update 11

ColdFusion (2023 release) Update 11

Security recommendations

For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.  

Alert:

Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.

Note:

The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.

What's new and changed

ColdFusion (2023 release) Update 11 (release date, October 15, 2024) includes bug fixes and enhancements in Administrator, Language, CFSetup, Database, and other areas. The update also contains library upgrades, such as netty, ehcache, etc.

Review the known issues before proceeding with the update.

Select each topic to know more.

Important

After applying the update, we recommend clearing the Felix cache as a workaround for installing the HTMLToPDF package and verifying the Oracle data source.

Whitespace management on all deployments

Efficient whitespace management reduces the file size of the pages that ColdFusion returns to the browser by removing many extra spaces, tabs, and carriage returns that ColdFusion might otherwise persist from the CFML source file.

You can enable or disable whitespaces in ColdFusion from the ColdFusion Administrator (Server Settings > Settings).

What is changing

In this release, ColdFusion allows whitespace management on all deployments. For example, you can allow whitespaces on JEE deployments using the Administrator or Admin APIs.

Using the ColdFusion Administrator

  1. Launch ColdFusion Administrator.

  2. Select Server Settings > Settings.

  3. Select the checkbox Enable Whitespace Management.

Using the Admin API

In the CFIDE.adminapi.runtime class, specify the propertyName as Whitespace in the setRuntimeProperty method.

For example,

cfscript>
    // Login is always required. This example uses two lines of code.
    adminObj = createObject("component","cfide.adminapi.administrator");
    adminObj.login("password");  //CF admin password.
    // Instantiate the runtime object.
    myObj = createObject("component","CFIDE.adminapi.runtime");
    // set whitespace
    myObj.setRuntimeProperty("whitespace",true)
    // retrieve the property
    saveWhitespacesEnabled = myObj.getRuntimeProperty("whitespace")
    writeOutput("Is whitespace management enabled: " & saveWhitespacesEnabled & "<br>")
</cfscript>

Clientvariable support in CFSetup

Display and set client variables using CFSetup. ColdFusion supports the following settings in client variables:

Client settings

  • Default Storage for Client sessions (clientStore)
  • PurgeInterval (purgeIntervalInMinutes)

Client stores

Registry

  • Description - String (description)
  • Purge data for clients that remain unvisited for () days - Days (purgeDataUnvisitedForDays) (Modifiable)
  • Disable global client variable updates - Boolean (disableGlobalClientVariableUpdates) (Modifiable)
  • Type - Registry (type)
  • Name - Registry (name)
  • Purge - Boolean (enableToPurgeUnvisited)

JDBC

  • Description - String (description) (Modifiable)
  • Create Client database tables. - Boolean (Not Supported)
  • Purge data for clients that remain unvisited for () days - Days (purgeDataUnvisitedForDays) (Modifiable)
  • Purge - Boolean (enableToPurgeUnvisited)
  • Name - It must be the name of an existing data source (name)
  • Disable global client variable updates - Boolean (disableGlobalClientVariableUpdates) (Modifiable)

Cookie

  • description: Client based text file.
  • disableGlobalClientVariableUpdates: false
  • enableToPurgeUnvisited: true
  • purgeUnvisitedDataInDays: 10
  • storageName: COOKIE
  • type: COOKIE

Commands

Show

  • show category - This command displays clientvariable as a category.
  • show clientvariable - This command displays all settings of clientvariable
  • show clientvariable cookie - This command displays all the details of a specific clientstore.
  • show clientvariable nonexistentclientstore - This displays an error message.

Help

  • help clientvariable - This command should show all the settings available for the category.
  • help set clientvariable
  • help get clientvariable
  • help add clientvariable
  • help delete clientvariable
  • help export clientvariable
  • help import clientvariable

Get

  • get clientvariable clientstore
  • get clientvariable purgeintervalinminutes
  • get clientvariable cookie
  • get clientvariable cookie name
  • get clientvariable cookie purgeDataUnvisitedForDays
  • get clientvariable cookie description

Set

  • set clientvariable clientstore=none
  • set clientvariable clientstore=cookie
  • set clientvariable clientstore=cfartgallery
  • set clientvariable purgeintervalinminutes=92
  • set clientvariable cookie purgeDataUnvisitedForDays=90 disableGlobalClientVariableUpdates=true description="Test description"
  • set clientvariable cookie purgeDataUnvisitedForDays=90 disableGlobalClientVariableUpdates=Yes description="Test description"

 Add

  • add clientvariable name=cfartgallery description="JDBC-based client store." purgeDataUnvisitedForDays=91 disableGlobalClientVariableUpdates=false

Delete

  • delete clientvariable cfartgallery

Export

  • export clientvariable test.json

Import

  • import clientvariable test.json

OEM upgrades

OEM Previous version New version
ehcache 2.10.3 2.10.92
netty 3.9.9 4.1.89, 4.1.109
postgresql 42.5.1 42.7.3
quartz 2.2.1 2.4.0
solr war 8.11.2 8.11.3
xalan 2.7.1 2.7.3
zookeeper 3.3.2, 3.6.2 3.8.4
solr-core, solr-solrj 8.9.0 8.11.3
cxf 4.0.1 4.0.5

OEMs removed

  • nimbus v6.4
  • xmlbeans v2.3.0
  • solr-core v5.2.1
  • netty-reactive-streams v2.0.0
Why were the OEMs removed?

The jars were older, outdated, and vulnerable versions that had already been updated in earlier releases, so they were deleted.

Bugs fixed

Bug ID Description Component
CF-4222080
You're unable to create or modify scheduled tasks on Firefox. Administrator
CF-4219674
Adding/updating IDP or SP configuration in ColdFusion Admin results in "Variable is undefined" error.
Administrator
CF-4222881
Unable to upload a file from a RAM drive to an S3 bucket. Cloud service

CF-4218942

getCloudService throws an error when the gcpfirestore package is not installed.

Cloud service

CF-4219706

In ColdFusion 2023, the attribute in cfhtmltopdf orientation="landscape" is ignored.

ColdFusion Packages

CF-4220122
The number of system threads grows with each cfsearch test page load.
ColdFusion Packages
CF-4219563
The purgecache command works only within the cfpm Command Line Interface. The command does not run as expected when using cfpm purgecache. ColdFusion Packages
CF-4223452

You cannot install multiple packages using the cfpm install command in the batch mode. However, you can do so using the cfpm Command Line Interface.

For example, after running the following command, the packages are installed:

C:\ColdFusion2021\cfusion\bin\cfpm
cfpm> install document, htmltopdf

But, running the following command does not install the packages:

C:\ColdFusion2021\cfusion\bin\cfpm install document, htmltopdf

ColdFusion Packages

CF-4219119

The incorrect function name is reported in exception from using the wrong named parameter to a setter function.

Core Runtime

CF-4198437

In spreadsheets, whitespace management is not available on JEE installations.

Core Runtime

CF-4220502
Sometimes, a ternary statement causes a syntax error only if the getter array syntax is used within a true statement.
Core Runtime
CF-4204716
For some scheduled tasks, the cfquery tag fails inside a scheduled task with a null message and a null cause.
Database

CF-4219530

Attempting to sort QoQ by date column results in Java Timestamp Error.

Database

CF-4222965 

 

 

 

After updating Oracle Server v19.23 to v19.24 and verifying the connection in Datasources in ColdFusion Administrator, the following error message displays: 

Connection verification failed for data source: DATASOURCE_A java.sql.SQLException: [DataDirect][Oracle JDBC Driver]arraycopy: destination index -1 out of bounds for byte[128] 

See the community post for more information. 

 

 

Database 

 

 

CF-4221077

An error message appears after reading 0000-00-00 00:00:00 string from the MySQL DB.

With the fix, the DateTime value converts to a Timestamp since the latest versions of the MySQL driver changed the datatype from string to DateTime.

As a workaround, to get the DateTime output as a string, set. the flag -Dcoldfusion.jdbc.datetime.str=true

Database
CF-4222036

Reading a zeroDateTime from MySQL as a Time Stamp produces an error: java.sql.SQLException zeroDate is prohibited. As a workaround, set zeroDateTimeBehavior=convertToNull in the JDBC connection string.

Database
CF-4219530
Sometimes, trying to sort by a date column in a Query of Query produces a Java timestamp error. Database

CF-4220030

 

 

Sometimes, attempting to execute a query results in a JDBC exception.

 

 

Database

 

 

CF-4222563

 

 

After you enable the PDF Service in the ColdFusion Administrator and generate a PDF with columns, the columns in the PDF output do not align as expected. 

Document Management 

 

 

CF-4217457

 

 

The setup does not show or export the CF Admin settings for the client variable page, such as the Default client storage or Purge interval.

Installation/Config

 

CF-4220000

 

 

The equal operator (eq) does not work as expected. 

 

 

Language 

 

 

CF-4212709

 

 

ColdFusion supports generate3DesKey function, but it's not documented or in getfunctionlist(). 

 

 

Language 

 

 

CF-4215583

 

 

You're unable to call static methods from an abstract class. 

 

 

Language 

 

 

CF-4222022

 

 

Dumping a structure with multiple CFCs causes methods from the higher-order CFC to propagate to the lower-order CFC. 

 

 

Language 

 

 

CF-4222005

 

 

While structure keys with chaining, ColdFusion produces an exception if a function exists. 

 

 

Language

 

 

CF-4214319

 

 

When writing a custom log, if the message contains a double quote, it does not escape when the log is written, making the log no longer a valid CSV. 

 

 

Logging

 

CF-4212463

 

 

cfstat.bat -x produces a Null Pointer Exception. 

 

 

Logging

 

 

CF-4219897

 

 

After applying the update, coldfusion-out.log doesn’t update as expected. View the community post for more information.

 

 

Logging

 

 

CF-4221161

 

 

ColdFusion is unable to handle sFTP connections using newer OpenSSH key algorithms like Ed25519. As a workaround, add the following JVM flags: 

  • -Dcoldfusion.sftp.enable-ssh-rsa=TRUE to enable the ssh-rsa algorithm. The default value of the flag is FALSE. 

  • -Dcoldfusion.sftp.fingerprint=md5 to set md5. The default value of the flag is SHA256. 

Net Protocols 

 

 

CF-4212578
When using cfhttp to send a file, the full server path is included in the filename. Sending files to third-party APIs may be a security risk and does not comply with web standards.
Net Protocols

CF-4219459

 

 

Unable to register Rest service when using Application.cfm.

 

 

REST services

 

 

CF-4212391

 

 

cfreport doesn’t work as expected. The following error message appears: 

Error at line 4 char 326: net.sf.jasperreports.engine.xml.JasperDesignFactory

If the issue still occurs intermittently, Clear the Felix cache and restart ColdFusion.

 

Reporting 

 

 

CF-4219575

 

 

The initSAMLAuthRequest function causes intermittent Null Pointer Exceptions.

 

 

Security 

 

 

CF-4219353

 

 

When displaying the context-result of a cfsearch,  special characters do not display as expected. 

 

 

Search 

 

 

CF-4222210

 

 

After restarting add-ons on Unix, Solr collections do not appear in the Admin UI. As a workaround, manually update the cfjetty file, hardcode the solr.home value to the updated one, and restart jetty.

 

 

Search

 

 

CF-4220241

 

 

After enabling Sandbox and using <cfimage> tag with action="write" and file output= "jpg" causes ColdFusion to behave unexpectedly.

 

 

Sandbox

 

 

CF-4222549

 

 

In some cases, after installing the graphql module, debugging a cfc or cfm file does not work as expected. 

 

 

VS Code Plugin 

 

 

Known issues

  • The PDF Services page in ColdFusion Administrator does not load even with the HTMLToPDF package installed. As a workaround, clear the Felix cache (<cf_home>/cfusion/bin/felix-cache).
  • The Oracle DataSource verification fails after installing the latest update. As a workaround, clear the Felix cache, and restart ColdFusion.
  • An exception occurs when indexing Open Document Format files, such as those with a .odt extension.

Prerequisites

  1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
  2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
    • http.proxyHost
    • http.proxyPort
    • http.proxyUser
    • http.proxyPassword
  3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

ColdFusion JDK flag requirements

COLDFUSION 2023 (version 2023.0.0.330468) and above

For Application Servers

On JEE installations, set the following JVM flag, "-Djdk.serialFilter=!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.

For example:   

  • Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   
  • WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file   
  • WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.  

Installation

ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.

After it detects an update, click Update. The core package gets updated the the latest update.

All installed packages also get updated.

Restart ColdFusion for the changes to take effect.

Install the update in offline mode manually

  1. Download the hotfix installer from the link.
  2. Download the packages zip file from this link and extract its contents to a location accessible to all ColdFusion server instances.
  3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerRepositoryUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.

You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

  • Windows: <cf_root>\jre\bin\java.exe -jar <InstallerRepositoryUnzippedPath>\bundles\updateinstallers\hotfix-011-330706.jar
  • Linux-based platforms: <cf_root>/jre/bin/java -jar  <InstallerRepositoryUnzippedPath>/bundles/updateinstallers/hotfix-011-330706.jar

If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers.

For further details on manually updating the application, see the help article.

Note:

If you are on Java 17.0.8 or higher and want to apply the Hotfix manually, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar.

However, if you are applying the update from the Administrator, you do not require any flag.

Post installation

Note:

After applying this update, the ColdFusion build number should be 2023,0,11,330706.

Uninstallation

To uninstall the update, perform one of the following:

  • In ColdFusion Administrator, click Uninstall in Server Update Updates Installed Updates.
  • Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2023-00011-330706/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

  1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
  2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2023-00011-330706}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration

2023 Update Connector recreation required
Update 11

No

However, upgrading from Update 4 and earlier requires you to recreate the connector.

View the following for more information on creating and configuring connectors:

Update 10

No

However, upgrading from Update 4 and earlier requires you to recreate the connector.

View the following for more information on creating and configuring connectors:

Update 9

No

However, upgrading from Update 4 and earlier requires you to recreate the connector.

View the following for more information on creating and configuring connectors:

Update 8

No

However, upgrading from Update 4 and earlier requires you to recreate the connector.

View the following for more information on creating and configuring connectors:

Update 7
No

However, upgrading from Update 4 and earlier requires you to recreate the connector.

View the following for more information on creating and configuring connectors:

Update 6

No

However, upgrading from Update 4 and earlier requires you to recreate the connector.

View the following for more information on creating and configuring connectors:

Update 5 Yes
Update 4 No
Update 3 No
Update 2 No
Update 1 No

Package updates

Update Packages updated
Update 11 Yes
Update 10 No
Update 9 No
Update 8 Yes
Update 7 Yes
Update 6 No
Update 5 Yes
Update 4 No
Update 3 No
Update 2 No
Update 1 No

Get help faster and easier

New user?