ColdFusion (2023 release) Update 5
Security recommendations
For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.
Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.
What's new and changed
ColdFusion (2023 release) Update 5 (release date: October 6, 2023) includes bug fixes and enhancements in Administrator, Installer, Migration, Package manager, Database, and other areas. The update contains upgrades to Tomcat (v9.0.78) and other libraries, such as jackson-databind, Netty, etc. Note that this update is cumulative and includes fixes from the previous updates.
With this update, we are upgrading the library jackson-databind from 2.9.8 to 2.15.0. This library version does not support POJO deserialization of java.time.* .The objects return NULL objects, which leads to data loss from aws dynamodb and azure service bus. See the bug fix section for more information.
In this update, for security reasons, the access to the Administrator to the connector port is blocked.
If you are on JDK 17.0.8 or higher, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar
From Update 6 onwards, you need not use the flag.
In this document:
Package update workflow enhancements
ColdFusion Package Manager asks you to confirm when the core server is upgraded or downgraded. At present, when you update the core server, the server gets updated without any confirmation.
In ColdFusion (2023 release) Update 5, while installing packages, ColdFusion will install the version of the core, and install the package compatible with the core version instead of installing the latest package directly.
View the Install scenarios in the ColdFusion Package Manager documentation for more information.
| Library | Previous version | New version |
| Tomcat | 9.0.74 | 9.0.78 |
| jackson-databind/jackson-mapper |
2.8.8 | 2.15.0 |
| netty (web sockets) | 3.5.8 | 3.9.9 |
| netty (cloud services) | 4.1.45 | 4.1.89 |
| cxf-core/cxf-rt-frontend-jaxrs/cxf-rt-rs-client |
3.0.16 | 4.0.1 |
| imageio-metadata |
3.3.2 | 3.9.4 |
| java-xmlbuilder |
1.1 | 1.3 |
| commons-fileupload |
1.4 | 1.5 |
| log4j | 2.17.2 | 2.20.0 |
| pebble | 2.5.0 | 3.2.1 |
| esapi.jar |
2.2.1.1 | 2.5.1.0 |
| jquery-ui | 1.13.1 | 1.13.2 |
Server Lockdown Tool enhancement
After installing the Server Lockdown Tool, the cf_scripts folder has been renamed to follow the pattern, cf_scripts_<version>_<6 random alphanumeric characters>.
Download the Server Lockdown tool from ColdFusion downloads.
CAR migration of SOLR settings
We've added Solr Settings as an option in the Server Settings tab of ColdFusion Archives. View the documentation for ColdFusion Archives for more information.
Migration
During migration, by default, SOLR settings will not be migrated. You must specify if you want to migrate the settings.
If you want to use the same SOLR server, you must only migrate the SOLR settings, and need not migrate the ColdFusion collections. If you want to migrate both SOLR settings and ColdFusion collections, then settings, for example, buffer size, or languages, will be migrated to the SOLR server along with the collections.
Mandatory IP restrictions
When installing ColdFusion previously, you'd provide the IPs for IP restriction for a Production+Secure profile.
In this update, you can also provide the IPs for restriction for a Production profile.
Moreover, if you don't specify any IP, by default, ColdFusion adds 127.0.0.1 and ::1. View the bug CF-4219181 for more information.
| Bug ID | Description | Component |
| CF-4219159 |
In this update, we’ve upgraded jackson-databind 2.9.8 to 2.15.0. The new version does not support POJO deserialization of java.time.*. The objects return NULL objects, which leads to data loss from awsdynamodb and azureservicebus. AWS Service Bus example: |
Cloud Services: Azure Service Bus |
| CF-4218099 |
Even after you enable the option Preserve case for Struct keys for Serialization, ColdFusion ignores local scope in the CFCs. The following code produces {"AMOUNT":2000} as opposed to {"amount":2000}. local.body = {}; |
Language: Serialization |
| CF-4218035 |
A Null Pointer Exception error occurs when checking if a directory exists in an AWS S3 bucket. The following code results in an NPE. <cfset srcdir = "s3://xxxxxxxxxxxx:xxxxxxxxxxxxxxx@s3loc"> |
File Management: S3 |
| CF-4217651 |
In a JEE configuration, you are unable to import a probe. To fix this, in this update, we've updated the command to: import probe probe.json jee.port=8080 jee.context=cfusion |
Installation/Config: CFSetup |
| CF-4217635 |
Coldfusion fails to load the custom Barcode font. |
ColdFusion Package: Htmltopdf |
| CF-4216051 |
After applying Update 5 to ColdFusion (2021 release), when generating a PDF using the CFHTMLTOPDF tag, the extended ASCII characters are returned with the wrong encoding when the CFHTMLTOPDF tag is within a CFC function. The encoding is correct when the tag appears on a regular CFM page. |
Document Management: PDF Generation (CFHTML2PDF) |
| CF-4215887 |
When deploying an archive (.car) file to a ColdFusion installation on a particular drive, the archive loads the datasources as expected. Still, it throws a Solr error because the archive searches for the settings in the incorrect drive. |
Administrator: Archive |
| CF-4215789 |
A CFML request using ormsearch fails without output or throws a ClassNotFound exception. As a workaround:
|
ColdFusion Package: ORMSearch |
| CF-4218184 |
The update mysql package description to specify that mysql package does not help you to create a MYSQL community datasource. |
Database |
| CF-4218176 |
We've updated the error message to reflect that a ColdFusion installation no longer includes the standalone MySQL JDBC driver. |
Administrator |
| CF-4217838 |
A cfquery statement can clear a temp table, perform an operation on the temp table, then clear it again, and return values in the Macromedia driver. The same is not replicated in the MS JDBC driver. |
Database |
| CF-4215843 |
After upgrading to MySQL 8, if you execute the custom tag cfdbinfo that contains a table with an underscore in the table's name, the execution fails. For example, the script below fails. <cfdbinfo datasource="#Datasource#" name="DBName" type="columns" table="table_groupOne" /> <cfdump var="#DBName#"> |
Database |
| CF-4215129 |
Sometimes, a SOAP webservice with cfinvoke or cfscript does not work as expected. |
Web Services |
| CF-4211276 |
After a ColdFusion migration, a few date functions started behaving unexpectedly. For example, the following function throws an error after migration. DateFormat(queryname.datecolumnname) throws "Error The value class java.time.LocalDateTime cannot be converted to a date." |
Database |
| CF-4205971 |
Sometimes, Apache behaves unexpectedly when a request takes longer than usual. As a workaround, update heartbeat_interval=0 or replace mod_jk.so using the instructions in this document. | Installation/Config: Connector |
| CF-4218758 |
When you install ColdFusion (2023 release) silently on Windows with no MS VC++ pre-installed, you get the error message, VCRUNTIME140.dll was not found. |
Installation/Config |
| CF-4218706 |
The orm package stops working after an unknown amount of time. There is an error message that follows- org.hibernate.HibernateException not found by orm. |
ColdFusion Package |
| CF-4218421 |
When attempting to send email using SendGrid SMPTP server with TLS settings configured, ColdFusion throws an error message. |
|
| CF-4218140 |
On executing a query, ColdFusion sometimes throws the error, [Macromedia][SQLServer JDBC Driver]This driver is locked for use with embedded applications. |
Database |
| CF-4216526 |
An error occurs when you try to display the results of a stored procedure in PostgreSQL 13 using the cfprocresult tag. | Database |
| CF-4212837 |
Executing the Docker image (public.ecr.aws/adobe/coldfusion:latest) with the environment variable (installModules="ajax") does not install the Ajax module. |
CF Docker |
| CF-4212391 |
CFReport does not work as expected after an update and throws an error. | CFReport |
| CF-4215586 |
After you store an object that has a field in decimal in a Redis session, the object no longer exists on viewing the session scope. Only CFID, CFToken, sessionid, or urltoken exist in the session. |
RedisSessionStorage |
| CF-4212860 |
In the createDateTime function, ColdFusion does not validate the following string representations of the date February 29 during a leap year. An error message follows. "Sat Feb 29 17:00:00 AEDT 2020", "Mon Feb 29 17:00:00 AEDT 2016", or "Wed Feb 29 17:00:00 AEDT 2012" |
DateTime functions |
| CF-4212735 |
When you run wsconfig -ws apache -dir C:\Apache24\conf -bin C:\Apache24\bin\httpd.exe -v to create an Apache connector, the following error message appears: Could not determine Apache control script file. |
Connector |
| CF-4218132 |
The GraphQL package not installed error appears when using a datasource that is defined in Application.cfc. |
GraphQL |
Known issues in this update
- After applying the update, if the Package Manager page does not launch in the Administrator for JEE configurations on non-Windows platforms. As a workaround, ensure that grant execute permission to cfpm.sh before applying the update or manually update the administrator package after applying the update.
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
ColdFusion JDK flag requirements
COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter=!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated the the latest update.
All installed packages also get updated.
Restart ColdFusion for the changes to take effect.
After installing Update 5, you must upgrade the connectors.
View the following for more information.
Install the update in offline mode manually
- Download the hotfix installer and repository from the link.
- Unzip to a place where all ColdFusion server instances can access it.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-005-330608.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-005-330608.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .
For further details on manually updating the application, see the help article.
After applying this update, the ColdFusion build number should be 2023,0,05,330608.
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2023-00005-330608/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2023-00005-330608}/backup directory to {cf_install_home}/{instance_name}/