Updates for ColdFusion 11, ColdFusion 10 and ColdFusion 9 released

The following ColdFusion updates are now available for download:

ColdFusion 11 Update 2

This update contains fixes for vulnerabilites mentioned in the security bulletin APSB14-23.

For the details refer this technote.

ColdFusion 10 Update 14

This update includes Tomcat upgrade to 7.0.54, Tomcat connector upgrade to 1.2.40, support for JDK 8 and Apache 2.4.x, fixes for vulnerabilites mentioned in the security bulletin APSB14-23 and fixes for 63 other bugs.

For the details refer this technote.

ColdFusion 9.0.2, ColdFusion 9.0.1 and ColdFusion 9.0 security update

This update contains fixes for vulnerabilities mentioned in the security bulletin APSB14-23.

For the details refer this technote.


150 Responses

  1. Hi there,
    Big problems with the new JDBC driver for postgreSQL…
    I get connection timeouts to our 9.1 Server after updating to CF 10 Update 14.
    (Ubuntu Linux 12.04 64bit)…
    This also applies to my Win7 64 bit machine with PostgreSQL 9.1

    Apache 2.4 support is very welcome! 🙂

    Best regards

  2. I’ve updated one of my development systems to CF10 hotfix 14 specifically to test the fixes for a couple of the bugs we’ve encountered which are listed as fixed in this updater. One of these is #3739102, dealing with tread-safety of xmlParse(). Easy to reproduce using a test-case Adam Cameron posted on his blog with just 2 threads prior to HF14 and we occasionally see this in our apps where we use application-scope XML data to manage run-time application configuration. I am unable to reproduce after applying HF14 in my repeated testing last night and this morning with as many as 40 threads. Seems promising so far.

  3. Coldfusion 10 Update 14 pretty much trashed my server. This is a Win2012 64 bit server that is running coldfusion 10 64 bit.

    This server is locked down using the CF 10 Lockdown Guide.

    As best as I can tell the update wiped out some of the coldfusion root subdirectory windows permissions. If the permission had been applied at cf root level it remained in place. If it was a subdirectory like cfrootconfig then permissions were hosed.

    Note that I did re-run the wsconfig tool.

    It wasn’t just permission issues however because even after fixing the permissions I would only get a partial start up of coldfusion. The coldfusion Windows service appeared to be started but it really wasn’t. Trying to stop the service would result in a timeout error.

    I then tried using the command prompt and got an aborted start of about 6 info lines before being returned to the command prompt. I apologize for not copying the info lines.

    I then manually uninstalled update 14 and ran the wsconfig tool again and that fixed the coldfusion start up issues.

    The only lingering issue I still have that I know of is that while I can access the CF Administrator when I click on the Updates link I get a “500 Internal Error” message which I believe is another
    permission issue since I’m not getting any CF errors in the log files but I have no issue accessing any other areas of the administrator.

    Any suggestions on how to get this update to install?

  4. Update 14 made our application pool stop working, taking our site offline after a few minutes (IIS 8.5/Win 2012). Rolling it back to update 12 saved us. The IIS filter permissions for CFIDE etc are intact. We have some lockdown rules in place to stop public access to CFIDE, but not the full lock-down in place.

    Use hackmycf.com to check your server security pre/post update 14.

  5. @Joerg/Ron/Mark, Can you all please reach out to cfinstaladobecom

    @Justin, Can you reach out to the email alias mentioned above, with the bug#?

    @Adam, Its Paul, who reported it on SO. I have pinged him there to reach us.

    In case, you having issues with cfinstal, please reach out to me at ankumarpadobecom

  6. @Adam, no that wasn’t me, but it all sounds so familiar 🙁
    We have had so many issues with CF10 on IIS8 that I wish we stayed on CF7/IIS6 – we had no issues with that for the 6 years we ran it. Mad that such a new product has so many issues. CF should run secure CFIDE secure out of the box imho.

  7. Had issues today with the CF11 updater (Win 2008R2), but it has to do with the fact that a service account manages CF. The account does not have access to the OS drive (C:). For whatever reason, the updater wants to copy files to C temporarily and then move them. I really wish it would create a temp directory inside the CF folder outside of cfusion. I forgot about this and completely screwed everything up. Total reinstall of the dev server, but an hour later, up and running. On Win 8.1 and Mac (OSX Yosemite) home systems, no issues. Just sharing.

  8. Just a heads-up to folks (it’s in the technote but easy to miss): if you install CF10 Update 14, you will need to rebuild your web server connector. The updated connector file (such as C:ColdFusion10configwsconfig1isapi_redirect.dll, or the equivalent mod_jk.so for Apache) would be dated Oct 9 2014 if it’s been updated. If it’s earlier, you’ve not rebuilt it and need to.

    If you install CF11 Update 2, a rebuild of the connector is only needed if you did not apply update 1 or did not rebuild it after update 1.

    I talk more about this need (which was true for a few past updates of CF10) in a blog entry from last year, but still relevant for those on 11:


    I also had done a blog entry on this update, with some more detail than above (and guiding folks to the right resources for more) at:


    Hope that’s helpful.

  9. @Milan, we had the VC++ redistributable package for Visual Studio update 4 installed already, and the app pool stopped.

    The event viewer said:

    Faulting application name: w3wp.exe, version: 8.5.9600.16384, time stamp: 0x5215df96 Faulting module name: isapi_redirect.dll, version:, time stamp: 0x5436474a Exception code: 0xc0000005 Fault offset: 0x000000000001a915 Faulting process id: 0x864c Faulting application start time: 0x01cfe7f2f60d7e49 Faulting application path: c:windowssystem32inetsrvw3wp.exe
    Faulting module path: C:ColdFusion10configwsconfig1isapi_redirect.dll
    Report Id: 84b94d13-53e6-11e4-80c2-009c029db105
    Faulting package full name:
    Faulting package-relative application ID:


    A process serving application pool ‘oursite.com’ suffered a fatal communication error with the Windows Process Activation Service. The process id was ‘37968’. The data field contains the error number.

  10. @Milan, we installed Dependency Walker and it shows some errors for isapi_redirect.dll:

    Error opening file. The system cannot find the file specified (2)

    Warning: At least one delay-load dependency module was not found.


    Same errors on both isapi DLLs (we have 2).

  11. Jörg,

    We are able to reproduce the connection issue you reported, with PostgreSQL9.1 on Win 7 x64. But this issue appears to be restricted to JDK 1.6. The issue is not observed with JDK 1.7.

    Can you please try switching to JDK 1.7 and see if that alleviates the issue. You can refer this technote for changing the ColdFusion JVM: http://helpx.adobe.com/coldfusion/kb/change-coldfusion-jvm.html

    Support for JDK1.7 was introduced with Update 8.
    Incidentally, the current installer for ColdFusion 10, packages
    Java 7 Update 15.
    Ref. http://helpx.adobe.com/coldfusion/kb/coldfusion-10-update-8.html

    CF Engineering Team.

  12. Hi Piyush,
    changing the JVM solved the Problem on my Windows Dev-Machine.
    I was running on the bundled JVM until now…

    So I’ll take on changing it on the production linux-servers, too. Wanted to do that for a long time already 😉

    Best regards and thanks for the advice

  13. Hi,

    Yes, that dependency walker report was for update 12 and 14 has been rolled back now, so I’m not sure if the DLL can be scanned now? This is a production server with no dev server available unfortunately. The event log excerpt is complete – there was no error number – the values were totally empty. We had VC++ installed too. OS is server 2012, IIS 8.5, no clusters, two sites, one for CFadmin, one for main site (set up by Anit originally I recall). App pool crashes about 30 seconds after a restart. The server works for a little while and serves pages, then dies. We have all .NET app pools stopped as we don’t use ASP etc.


  14. @Nando: I won’t disagree that the update process and the QA thereof needs to improve. I’m curious, though, given this context where a user has indicated that they have “… no dev server available unfortunately” how would you propose that the CF team could/should assist this user?

    I would not characterize a situation where a dev team has no dev server available to test updates (not just CF updates, but OS updates and app updates as well) before making those same changes in a production environment as “unfortunate”. The risk associated with that mode of operation is way beyond what I would be comfortable with, for myself or my employer or my clients. With the problems associated with recent CF updates, I’m having a hard time imagining a scenario where I would be willing to apply one of these updates on a production server without both (a) significant testing in a non-production environment and (b) a good recovery plan.

  15. @Ron & @Nando,

    While having a development/testing server is considered “best practice”, it’s not always possible to get funding for duplicate hardware to set one up. At least the EULA for CF10 and CF11 allows you to use your production license for a development or testing server at no additional cost.

    If you can run the ColdFusion server on a virtualized system (such as on top of VMware vSphere or Microsoft Hyper-V), then at least you can take a snapshot of the VM image before applying updates. Then, if anything goes wrong, you can simply revert to the snapshot version. That reduces much of the risk of applying updates to a production server.

    Even better, if you are already virtualized, consider using Veeam Backup and Recover to take backups of your VMs. Veeam has a feature where you can spin up a duplicate of a VM inside of a walled-off sandbox right from the backup image. Then you can apply the update to the duplicate VM and test its effects on your environment. If everything works properly, you simply throw away the duplicate VM and then apply the update in production.

  16. @Adobe,

    Seriously? You now know what is likely causing the issue and you can’t find a single machine in-house where you can try to recreate the end user’s experience?

    We are tired of being your testers. This is unacceptable for a product with this high of a price tag from a company the size of Adobe.

    Yeah, yeah, I know – you’re working on it, there we unforeseen issues, you couldn’t test every possible configuration, software is difficult….we’ve heard those excuses for the last few years while you continue to bungle ColdFusion updates. Nothing has improved. Literally nothing. It is no easier to manage or install CF now than it was 5 years ago. The whole process, in fact, seems more and more error-prone with each release. You guys have made a lot of excuses without telling anyone what you are doing to actually address the core issue – and that issue is that the CF team’s QA and testing processes are deeply, deeply flawed.

  17. I feel like we are between a rock and a hard place here. We are told we have a unique problem and that we need to break the server to find the problem. Even if we had a dev server, we would have to replicate it 100% so that the problem would affect the production server in the same way, so a mirror image is the only way. We would love a dev server but it’s just not in our budget – we can’t always have what we want, Ron.

    Perhaps Adobe could upgrade us free of charge from CF10 to CF11 and then see if the CF11 update works? Is that worth a try?

    Sorry, but I have found CF to be a highly flakey product and it’s only my work colleagues that keep me wanting to use it. When we applied a “fix” to stop 404 errors recently, it took away all security on /CFIDE with no warnings. It’s a total sh*t to get working properly 🙁

  18. @Ron: I tend to be quite generous giving others the benefit of the doubt. However, today I noticed that while I apply updates to various pieces of software all the time, it is only with ColdFusion that the update process feels to me, and indeed is generally regarded, to be somewhat risky and error prone. I don’t approach updating my Mac, or applying updates to CentOS, or any other piece of software for that matter, with this much caution.

    ColdFusion has been in existence since 1995, nearly 20 years. The team behind it should have the update process perfected by now so that it works as simply and as flawlessly as it does on CentOS.

  19. @Nando: that comment is food for thought for everyone, I think.

    Blimey. 20yrs. And we’re still having this sort of discussion.

    Even if we’re charitable and only clock CF since it moved to Java… 12yrs. Or to Adobe? Seven years. Since they had the automatic updater, even? Two years and 14 updates on CF10, and two on CF11.

    That’s a helluva lot of opportunity to not – seemingly perpetually – screw things up. They don’t screw it up *completely*; but they always screw it up a bit, and waste their clients’ time.

    But this is why I always advise *no-one* early-adopt ColdFusion updates. Because we should not be willingly making ourselves their guinea pigs / beta testers (sometimes alpha testers).

    I just get the feeling that the CF team only put the barest minimum amount of care into getting a release out the door. A lot of work, a lot of effort, but a pisstakingly low amount of care. It seems to be more like “we can get away with this” (and they misjudge that even), rather than “this is good”. This smacks of the levels set by management, rather than the workers though.


  20. Adam,

    I feel the same way about applying updates. When ColdFusion 10 came out I waited for 8 updates before I installed it on my server and there was still a large amount of problems with it. I will not be upgrading to ColdFusion 11 until I feel like most of the bugs are worked out. It’s a shame too. I love ColdFusion. I have my entire business built around it. I agree that more care needs to go into each update.

  21. @Adam: I get the feeling the CF Team are not client-centric. They don’t seem to understand what our goals are, or what our client’s goals are. My clients don’t even know what a function is, much less a member function. What they care about, and hence what I care about, is reliability – rock solid reliability. What I build for them has to work flawlessly, every time, without exception, or they lose money, customers, time, and become quickly frustrated and feel everything is spinning out of their control. They don’t give a damn about member functions.

  22. Have verified date on isapi_redirect.dll is 10/9/2014. VC redistributable 2012 installer prompts to repair when rerun but still getting HTTP 500 Internal Server Error.


  23. We were able to get Adminstrator loaded again by disabling/turning off (set to false) the “Enable 32-bit applications” property in the Advanced Application Pool settings ColdFusion and our applications run in.

  24. @Adam – Hesitant because you’d be applying it directly to a production server? Or hesitant because the process is manual and hence somewhat error prone? Or simply hesitant because …

  25. @Nando:
    No, I would ever apply any sort of update, untested, to a production server. That’s just lunacy.

    I’m just trying to save myself some effort. I always kinda expect these ColdFusion fixes to f*** things up, so I’d like to see if anyone’s had success with it before even bothering to try it in our test environment.

    I have close to zero faith in the ColdFusion Team’s ability to do something properly & thoroughly, the first time around. We are their beta testers, after all.

  26. @Anit

    What do you mean “that too under lockdown environment” as if that was some sort of outlying anomaly? Production servers must be locked down – you guys are recommending that as the first point in your update tech note.

    Issues have been reported regarding the CF11 update on this blog. See comment 17 by Chris: https://coldfusion.adobe.com/post.cfm/resolving-500-internal-server-error-with-coldfusion-10-update-14#comment-05E46F7B-F393-4C10-4FC55DCB594BA775

  27. @Nando, you missed the point. ColdFusion 10 update 14 has no issues other than, if you have applied the Lockdown guide, then recreating connector will land into Error 500. The blog post https://coldfusion.adobe.com/post.cfm/resolving-500-internal-server-error-with-coldfusion-10-update-14 is for the same. The reason of Error 500 is mentioned over their as VC++ runtime 2012 update 4. This issue has a workaround and that is to manually apply the hotfix and recreate the connector. And yes, we are still recommending to apply the Lockdown guide on ColdFusion servers.

    Apart from the above mentioned issue, there are no other issues with the latest release of CF9, CF10 or CF11

  28. Anit, does installing the hotfix manually solve the connection pool stopping? Where is the documentation that shows how to add the hotfix manually? Also, how does one roll back a manually installed hotfix?

  29. @Mark, so far nobody else has reported any issue with connection pool stopping. As you are facing the issue and to investigate further, we would need relevant logs (mentioned by Milan above).

    To install hotfix manually, please refer to https://coldfusion.adobe.com/post.cfm/how-to-download-and-install-coldfusion-10-hotfix-directly.

    To roll back, please refer to https://coldfusion.adobe.com/post.cfm/coldfusion-hotfix-installation-guide (Section: How can uninstallation be done from command prompt?)

  30. Anit, a plethora of logs have just been sent to you by my webmaster. Update 14 was tried again, it stopped the application pool once this time, with error 503. After restarting the pool the pool stayed online but pages were never served – they just loaded forever and never appeared. The CF Admin was also really slow.


  31. Question regarding Apache 2.4 support in ColdFusion 10 Update 14. The blog post says Apache 2.4.x but the technote associated says up to 2.4.9 and the latest is 2.4.10 (released 2014-07-21).

    Does ColdFusion 10 Update 14 support Apache 2.4.10? If it does, please update the technote to indicate that. If it does not, when will support for Apache 2.4.10 be released?

  32. I was looking forward to this update (CF10/update14) because it had fixed some IMAP related bugs. Unfortunately, it’s causing another (related?) issue. I have a lock around the IMAP code and the lock is not being released it seems.

    So I’m forced to roll back.

    I had previously tried going to CF11 when it first released. I had problems so rolled back to CF10.

    Definitely not impressed with the quality of the updates and very nervous when applying them.


  33. I am having problems with the Application Pool in IIS 7.5 stopping. It says the error is Faulting module name: isapi_redirect.dll, version:, time stamp: 0x5436474a

    I don’t know how to solve this

  34. @VolumeTwo, we have the same issue, the application pool stops. Please can you share your ISAPI logs with Anit please, so that we can get to the bottom of this issue?

    Anit, it seems we do not have a unique problem after all.

  35. Reverting back to Update 13 did not fix it. Application Pool keeps stopping. Now I’ve had to completely start afresh with a new server image. The amount of time and effort this has taken is outrageous. Very poor show from the ColdFusion guys.

    I’ve lost my ISAPI logs. If it the error happens again I’ll send them across.

  36. @Mark, the last comment from VolumeTwo confirms that not everyone is facing the issue. The concerned engineer is looking into the logs sent by you.

    @VolumeTwo, you need not to start with a new Server image. We may help you here. Please reach out to us cfinstaladobecom

  37. Anit, we needed a server image restored when our CF Admin broke a month ago. I understand that you worked on the server with my webmaster looking at that issue and could not get it working again. Restoring the image was the only way to solve this for us in that particular instance, and I recall you also suggested doing it. Perhaps that CF Admin problem was related to our update 14 issue?

  38. Ok, during install the process failed. I’m not sure where I am, but I made the mistake of “cleaning out” the hotfix files. Now I’m trying to figure out where to download them manually, but cannot find the link for CF11 hF2.

  39. I reinstalled my entire server (IIS, ColdFusion 10, SQL Server etc) and only updated to Update 13.

    Everything so far is working fine. Application Pools are not stopping. I’m avoiding Update 14 its not fit for purpose.

  40. @Jimmi, some may think you’re joking, but I suspect you’re not. Others may want to quote John McEnroe (the fiery 80’s tennis player), and ask “you can NOT be serious?!”, but I suspect you are.

    The formal answer to your question is that since CF 4.5 was released in 1999, it was never designed to run on any versions of Windows made after that.

    FWIW, the system requirements for the 4.5.1 release (http://helpx.adobe.com/coldfusion/release-note/release-notes-coldfusion-server-4.html) do say it supports “Windows NT 4.0 SP 4 or later”.

    Of course I think we can reasonably assume that the “or later” phrase was meant to refer to “or later versions of Windows NT”, not “or later versions of Windows”. ;-}

    To be clear, Adobe does update its docs for later releases to indicate what OS versions they run on, and it was not until that CF9 that Windows 7 was listed as an officially supported OS (http://www.adobe.com/store/en_xau/popup/software/coldfusion9/systemreqs.html). CF8 supported only up to Vista (http://www.adobe.com/store/en_us/popup/software/coldfusion8/systemreqs.html).

    So the answer to your question is likely that no one can really confirm whether CF 4.5 will work on Windows 7 without trying it. It might work, since the guts of Windows 7 and Vista and 2000 had much in common with the core of NT. But many aspects are so radically different that it may not work, or may not work well.

    To be clear, in summary, there was never formal support for that combination, and indeed support for CF 4.5 itself was dropped over a decade ago.

    So you’re really floating on your own ship there…kind of a tramp steamer at that. It may technically float on the ocean, but I doubt most would put faith in it for a trans-atlantic crossing. HTH

  41. Adobe – please can off-topic comments (and answers) please be removed from this thread? Installing CF 4.5 has nothing, whatsoever, do with this blog post, and it would have been wise if Charlie had said that too. Some people are urgently waiting for responses related to the actual blog post which is “Updates for ColdFusion 11, ColdFusion 10 and ColdFusion 9 released”.

  42. Mark, it’s a blog article, not a patch update channel. You’re using an apple when you should be using an orange.

    When there are updates, Adobe will notify via the usual mechanisms. Which quite likely *won’t* be this blog article’s comments section (well I hope it’s bloody not!).


  43. Coldfusion 10 Update 14 running on Windows 2008 R2 seems to break schedule tasks. We notice on our testing server that schedule tasks were firing and successful before hand, do not complete after update. However, logs are showing tasks were firing and marked successful.

    One tasks sends an email and another writes some files.
    Triggering via ColdFusion admin does the same thing. However, If manually fired via url it works.

    Rolling back to 13

  44. @Adam, the blog post is entitled “Updates for ColdFusion 11, ColdFusion 10 and ColdFusion 9 released”. Posting a question about ColdFusion 4.5 is like using an apple instead of an orange, so you’ve answered your own question!

    Please do tell us what relevance ColdFusion 4.5 has to this blog post? I’d be interested to hear your reply on that specific point, Adam.

  45. I was addressing your expectation “Some people are urgently waiting for responses related to the actual blog post which is “Updates for ColdFusion 11, ColdFusion 10 and ColdFusion 9 released”., observing you are using a less than ideal mechanism to do so, and your expectations are – accordingly – a bit off in that regard.

    That other people ALSO can’t work out what’s appropriate usage of blog comments is neither here nor there.

    I drew attention to your situation specifically because I have (well: had ~) small sympathy for your situation, whereas Jimmi’s just a muppet.


  46. @Adam … What’s the ideal mechanism through which we should find out about updates, or corrections to updates, from the Adobe CF dev team? I’m not very clear on this. Historically, I’ve found out via Ben Forta’s blog, Raymond Camden’s blog, Charlie Arehart’s blog, or some random mention of it somewhere. These posts would mention that a technote had been published outlining the update and link to it. I’ve always felt that the notification process was indirect and random.

    In contrast, I’m subscribed to the CentOS announcement list. The moment a CentOS update is released, I get an email. I just got one a few hours ago. Anyone experiencing problems with an update can send an email to the list (although I’ve never seen one so far).

    I think an email list devoted to AFC updates and hotfixes would be a very helpful mechanism as a central conduit for messages from Adobe and feedback from us regarding our experiences. Not everyone experiencing problems with CF updates now and in the future will post a comment on this blog entry. I saw one yesterday on the CF-Talk list.

    I think this could also work to the CF dev team’s advantage, because if the reports of problems with updates were centralized, we all could judge for ourselves if the claim that they are isolated is true or not.

  47. Adam, well thanks for answering a question that I didn’t actually put to you lol. Your expectations are not my expectations. I have communicated with different people at Adobe using totally different channels – some via the blog, some via the forums, some via email, and some via support tickets.

    Adobe should improve moderation of these blogs and remove posts that are _really_ off-topic, otherwise the main thrust of the thread is lost. Moderation is the issue here – comments seem to go straight to the blog, which is perhaps not wise.

  48. Wow, ok. Perhaps I should have responded to Jimmi that his question was off-topic and should have been sent to the CF forums instead. Sorry, it was early in the morning, and I had a few minutes so just decided to answer his questions.

    I was of course focused on helping him (and saving anyone else from have to answer him), and I just never dreamed that that one comment (triggering an email to those subscribed) would be seen as an annoying contribution to more off-topic discussion here.

    Fair enough, Mark. I will try to remember that any next time. (I suspect someone may be thinking that raising the issue caused still more off-topic discussion, but I appreciate that you were doing it to prevent still more, so I understand your motivation.)

    Sometimes I will also create a blog post and point to that instead, as I know some people don’t like reading long comments (or emails).

    Speaking of that, I’ll address your question about getting notified of updates in a separate comment. As always, just trying to help.

  49. So Mark asked, “What’s the ideal mechanism through which we should find out about updates, or corrections to updates, from the Adobe CF dev team? I’m not very clear on this.”

    Mark, are you talking about CF10/11 updates? That’s provided for in the CF Admin, in the Server Updates feature. Perhaps you knew that. Anyway, it can be configured to check automatically on opening the CF admin (asked during install, and changeable in the Update settings page)

    It can also be configured (in that same settings page) to email you when an update arrives.

    Of course, some people have their servers set to not make outbound calls, so they can’t rely on that. For them, they have a couple of choices.

    First, the Admin settings page shows the URL that the Admin would check to watch for updates, and it’s just an RSS feed you can watch that yourself: http://www.adobe.com/go/coldfusion-updates (I can’t use the http protocol or the comment system regards this as spam).

    Second, you could watch the blog here, as the CF team does post a new entry when they add a new update (and sometimes they update an existing entry when they modify or recall an update). And FWIW there is an RSS feed for the blog: blogs.coldfusion.com/feeds/rss.cfm

    Hope that helps, Mark. If you may mean for CF9 (or if anyone else may be interested), of course it doesn’t offer the automated hotfix feature, and there used to be a page that did list them, among other things (www.adobe.com/support/coldfusion/downloads_updates.html), but it no longer does. There is a page that lists CF9 cumulative hotfixes: helpx.adobe.com/coldfusion/kb/hot-fixes-coldfusion-9.html.

    Security updates in CF9 are handled separately, typically, and there’s a page that lists them along with all Adobe products:


    And even one it points to that lists just CF securituy hotfixes:


    That first page above also offers links at the top and right for a notification service where you can be notified by email (of security hotfixes).

    Finally, FWIW, the challenge of CF9 updates was also addressed by a couple of tools that may interest some readers:




    Hope that’s helpful.

  50. “So Mark asked, “What’s the ideal mechanism through which we should find out about updates, or corrections to updates, from the Adobe CF dev team? I’m not very clear on this.””

    @Charlie, with respect I did not ask that question, @Nando did.

  51. Mark I didn’t agree with you because I didn’t think you were right. Sorry: I thought I was clear on that, but on reflection perhaps I wasn’t obvious enough about it.

    But never mind.

    Anyway, this has run its course, yes? You understand now this is not the place to wait expecting for news of software updates? And on that basis the on/off topic nature of the comments aren’t really so relevant? Good.

    As you were then.

    NB: as schadenfreudesquely fun as this exchange was, I’ve got “Blogging for Dummies” to read, so I’ll leave you to it.



  52. @Adam, I have no problem with you not agreeing with me, even if what I said was basic common sense lol.

    I have had many responses from Adobe staff via the blog, and continue to do so. You use the blog in your own way; I use it in my own way. It’s not a “your way, or the superhighway” blog. I was actually the first person to try update 14, before anyone else, so I personally have no issues with getting updates.

    On reflection, I think the conversation was fun, and in the process you made yourself look a twat as well, so most gratifying overall. Cheers, and enjoy the book. NB: start at page 181 (blog moderation).

  53. Adobe have just told us that the update 14 connector has a bug, and update 15 will roll out with a fix. We have been given a ISAPI update 14 connector with the fix, and this works fine on our server. Previously the connector would cause an application pool crash.

  54. Mark,

    Is Adobe making the ISAPI connector available to anyone who wants to try it?

    Did they tell you when update 15 is scheduled to be released?

    I think I’m going to be rolling back to update 13 very soon because I have been seeing some problems with update 14 as well.

  55. Hold on a second, update 14 has a bug in the ISAPI connector? That means that I am using a buggy ISAPI connector as I updated to 14 as well. It seems ok, but I have seen no formal announcement from Adobe on this matter.

    Why are Adobe so vague on these isues? What was fixed and what do we need to be aware of that in terms of the bug has in term of knock-on effects?

    Adobe, your customer communication procedures on such matters are seriously flawed. There should be information on all bugs and fixed connectors.

  56. I’m having the exact same issue as Mark. App pools stopping on a Windows 2008 SP2, IIS 7.5, CF Ent 10 update 14. I can’t find a bug for this in the Adobe Bug Base.

    We need a fix for this. Sites stopping during holiday sales is bad m’kay.

  57. @Phil, have you confirmed that you’ve done some of the things mentioned above?

    First, have you reconfigured/rebuilt your web server connector after applying update 14? That’s required, as discussed above. And did you do it for all the connectors you may have? I discuss the details (though for previous updates, it still applies) here: http://www.carehart.org/blog/client/index.cfm/2013/9/13/why_you_must_update_cf10_webserver_connector , including how to do it, and how to make sure you really have updated things.

    Second, did you confirm that you had the updated Visual C++ runtime library, as discussed above and in another blog entry by the CF team here: https://coldfusion.adobe.com/post.cfm/resolving-500-internal-server-error-with-coldfusion-10-update-14

    Finally, if none of those work for you, have you tried just uninstalling the update? That is possible, if the way things were before the update would get you through your upcoming busy season.

    As always, just trying to help. There’s a LOT of info above in the 100+ comments. I might even have missed another thing to consider. ;-}

  58. @charlie, because of these types of issues we have an SOP for updating ColdFusion. We updated Visual C++ runtime library, ran the update, & rebuilt the connectors.

    The one thing we didn’t do but should have is check EVERY setting in CF Admin post update. We have had a few things revert back to original settings like the CFIDE mapping and location of log files. We are going over all the settings today to see what else was altered.

    If we can’t get a fix in place in the next day or so we will have to roll back. We are in code freeze so even the smallest change requires every IT VP and Director to approve. Telling them we have to roll back an update on over 5 servers will be one more straw on a very tired camels back.

  59. @Phil, good to hear of your SOP. Sorry to hear of your challenges with all this.

    As for the update causing you to lose Admin settings, I don’t recall ever hearing of that before, so that would be very odd. (Then again, it IS possible that a rebuild of the connector would affect your CFIDE virtual directory settings in IIS, setting them to the CF10 wwwroot. But the CF admin settings themselves are of course NOT stored there but in the neo*.xml files within the CF instance. And again I’m not aware of the update touching those, but perhaps someone else may share otherwise.)

    One last thing (again, simply trying to help), it is POSSIBLE the SOP could have a mistake regarding the connectors (I see it every week). Can you confirm that you use “run as administrator” on the wsconfig (it’s not enough to “be an administrator”) and that the date of the isapi_redirect.dll updated to 2014, and that that’s so in ALL your wsconfig folders?


  60. @charlie, I confirmed the update procedures and states Right click on the file wsconfig.exe and choose “Run as Administrator”. I also confirmed all the isapi_redirect.dll files date to be the 2014 date.

    I double check all the settings in CF Admin and everything else is fine. I looked over all the xml, config, & properties files and the isapi_redirect.properties may have had its log_level changed. Then again it was supposed to be backed up before the update.

    I’ll be talking to CF Support today so I hope we will be able to get this worked out pretty quick.

  61. @Phil, fair enough. And you know there WAS in fact one more thing I should have mentioned (as something for you to consider). One of the comments above (99) suggests there is a known bug in the connector and Adobe may offer it if you ask for it. As discussed in some previous comments, the address is cfinstal@adobe.com. Just reference the update and this blog entry (maybe that comment 99) and hopefully they’ll provide it. It’s not 100% clear if it will address your specific issue, but it may so seems worth trying. HTH.

  62. @Phil, update 14 has a confirmed bug and Adobe have issued a patch, but it is not a fix that is mentioned in any official source. No idea why. If you ask Adobe, they will send it to you. We are just hoping Update 15, which Adobe say will include this fix, will not break again.

  63. @John Sieber, running the connector does not install the new isapi_redirect.dll. The new DLL comes from an update, such as update 14, or via Adobe directly for the most recent post update 14 fix (which is for the problem of the application pool crashing on IIS servers). The most recent isapi_redirect.dll is dated 12/11/2014 (dd/mm/yyyy). Email cfinstal@adobe.com for this version; rename the old DLL file to keep a backup and then replace the file and rebuild the connectors again.

  64. Just to update – I reimaged my server and went up to Update 13. Everything is working fine. Application Pools don’t stop anymore so I’ll wait until Update 15 comes out and skip Update 14.

    @Mark, did the update patch Adobe sent you fix the issue?

  65. @VolumeTwo, yes the patch solved the problem but we were not told how it fixed it and since the connector is not open source we cannot check. Are you on a Mac platform, since update 13 is for Mavericks only I recall. Not sure what update 13 does for a Windows server, anyone know? Adobe told us to ignore it…

  66. @mark, yes, update 13 only had changes of interest to OSX. That said, Windows folks COULD apply it. They just didn’t HAVE to (though the wording of the update in the “server updates” interface made it seem it should ONLY be applied by those on OSX).

    FWIW, I addressed this (to try to give some clarify) in a blog entry I did back at the time:


    Hope that helps.

  67. So I upgraded to ColdFusion 11 update 2 and I’m seeing the same kind of problem as in ColdFusion 10 update 14. Basically what happens is that the heap gets really high (within 24 hours) and stays there even under low load (5-10 requests per second). The only way to fix it is to restart ColdFusion which corrects the issue for a short period of time. ColdFusion won’t even restart correctly it’s so crashed. It takes like 4-5 minutes.

    Anyone else seeing this issue or is it just me?

    I’ve tried changing the JDK from 1.8 to 1.7 and back again. There is no change at all.

    Did anything change with the connector for ColdFusion 11 updates 2 or 2?

  68. I just installed CF11 and applied the latest update (update 2 I think).

    My application pool keeps stopping again. I get a “HTTP Error 503. The service is unavailable.” error from IIS.

    Please can you give me a link to download the hotfix to solve this issue. Its extremely urgent.

  69. @Anit – There was another poster named Mark above where he said:

    Adobe have just told us that the update 14 connector has a bug, and update 15 will roll out with a fix. We have been given a ISAPI update 14 connector with the fix, and this works fine on our server. Previously the connector would cause an application pool crash.

    This is the connector bug I am referring to. So my question would be is there a connector fix for ColdFusion 11 update 2?

  70. @Carl: I have escalated this issue to Anit. I hope they are moving fast. My documented workaround may not the best, but it works for now. We believe the developers of ehcache changed something in the API Adobe has missed.

  71. And to increase the list of embarrassment and failed QA at Adobe. CFCONTENT is also broken if you have URL parameters on the url. How has this piece of crab passed QA???

  72. @Alex, about your comments at 133 and 134, I’ll share that I have tried your test on both CF11 update 3 and CF10 update 14, with their updated connectors, and I do not get the problem you report.

    As I don’t see a way to comment on your blog, I couldn’t say this there, but I have some thoughts to try to help get to the bottom of things for you.

    First, I wonder if there may be something on your end contributing to the challenge for you. Your blog entry suggests you do clearly know about updating the connector, so I’ll assume that your IIS site configuration is correct so that you are using the one you say you are.

    But I just don’t get the error, and I’ll say that I help many people find out that their connector configuration is not what they assume (whether in the wsconfig files, or in the configuration of IIS to point to those). You may want to double-check things.

    Second, I wonder also if it could be perhaps something in your code. I know your blog entry proposes that one should just have a simple one-line index.cfm as a test. I did that.

    But I also put it in its own folder with its own application.cfm so that nothing else impacted it. How about on your end? Let us know if that still doesn’t solve things.

    Finally, I was also working without any tweaks to the wsconfig files (like workers.properties, etc.). How about you?

    FWIW, I’ll note that while one may wonder if perhaps the secure profile feature could have an impact (it often does), in my case I DO have it enabled in CF11. How about you?

    As always, I’m just trying to help you (and Adobe and readers) get to the bottom of things.

    If one of those may help you get things going, please do let us know. It would be nice to see Adobe absolved if this is not in fact another “failed QA” of “this piece of crap”. (That’s not picking a fight. I realize you’re frustrated. It’s just that most times I see people point in the blog here to bugs, or examples of the CF team having dropped the ball, it turns out there’s often some other explanation.)

  73. I share a full repro case application in 10h i’ve send to adobe.

    Theoretically it’s possible that helicon ape may be a requirement, but i read several forum threads that others have the same issue and they are not using ape. Many have first written it is rewriting related but later they learned it is not. Who is not using rewriting? I don’t know.

  74. @Alex, were your responses (136 and 137) to me? I assume so but can’t tell for sure. If so…

    First, can you tell me what you mean in the first one by your having sent a repro case “in 10h”?

    Second, you say that “ape may be a requirement”, but do you mean using url rewriting may be contributing to your problem? I notice in your forum discussion that you DO mention using url rewriting, and to be clear I was not.

    Here’s something perhaps simple to try: are you able to do a test without rewriting?

    And what about the other questions/propositions I’d raised? You didn’t reply to any of them. I offered them to try to help.

    I suppose you could be of the opinion that “I have a bug, I’ve created a repro case. Other people confirm it. I’m not going to try anything else”, but I hope you’ll see that they are rather easy things to try. And what if Adobe can’t recreate your problem?

    More than that, given that I couldn’t recreate the problem per what you have shared here, then perhaps you have left something out (about your problem) or are having an environmental problem you’ve not yet spotted.

    And this can be so for others. Just because a dozen other people report having “the same problem” doesn’t prove (to me) that there’s a bug. Maybe they are not all really having the exact same situation, or again they may not be reporting all they can about their situation.

    To be clear, I did what you referred to in your blog entry, and it worked, in 11 update 3 and 10 update 13 with their updated connectors. Wasn’t that interesting? You have not replied to that.

    And if everyone were to do that exact same thing and different people have it working while others don’t, then it seems less likely a “bug” and more some environmental difference. Perhaps if that difference was better understood, it may help get to the bottom of whatever is amiss.

    One last thing: in that thread there were many making an issue about whether the URL did or did not have index.cfm. I’ll just note that that can have its own explanation (like the lack of a handler mapping for a cfmhandler). I’d wonder (for all those with that issue) whether they get a failure even if they DO NOT do a cfcontent. They may see some error message that could perhaps explain things more.

    Even so, in your blog entry you point to, you don’t show that to be a significant point, but now that you have, I’ll add that I can also get it to work fine whether I have index.cfm before the query string or not.

    Finally, I realize some people may feel that all this is “off topic” for this blog entry, and should be discussed in the forums. You have now shared a discussion forum where perhaps more discussion could take place. I have only replied here because you have asserted (here) that you feel this is a bug in the updates. Since I couldn’t recreate it, I thought you (and Adobe and some readers) would want to know that.

    I’ll admit I’ve gone further and tried to share some thoughts that might help you or other readers better diagnose things. That’s just how I roll. 🙂

    And happy thanksgiving to all those celebrating that holiday today.

  75. @charlie: Happy holidays. I attached the repro for the connector bug to my blog. I’m not frustrated. I’m totally pissed and and try to help others with the same problem and there are many others. I got confirmation from Anit that the IIS connector bug may already been fixed internally. I received no hotfix for the connector yet.

    @Carl: I received the ehcache hotfix (hf1000-3858286.jar) that will be included in Updater 16 first. The hotfix seems working well. Ask for Md. Kaif Akbar Quraishi at Adobe and reference TS Case – 186142786.

  76. Update 14 has been nothing short of a disaster. I know people who have been offered all sorts of different patches for update 14, none of which are official. It’s a total mess and Ad0be evade answering questions and even censor out posts that criticise them. Update 16 is now being talked about! What happened to 15? What a mess – we have had major problems with update 14. It’s not fit for purpose.

  77. @Simon: can you share your list of patches you are aware of, please?

    Updater 15 is in freeze state or something like this. I guess it comes out very soon. Updater 16 may be far away… I fon’t know.

  78. @Alex, if it may interest you, I have just tested your repro code. (If it was there before, I must have missed it. Thanks for sharing it.)

    Anyway, I still do NOT get the error you refer to in either CF10 U14 or CF11 U3, each with their latest publicly available connectors. I gather that would surprise you, if you thought it was a bug that anyone would experience.

    I’ll say once again: it would surely seem that there’s something environmentally specific about why it’s failing for you.

    I hope you’ll please consider any of the many observations and suggestions I shared in my previous comments to you, if you’re really interested in getting resolution. I realize you may just prefer to wait for Adobe to “fix the bug”, but they may find things just work, as I have.

    If you could help them spot somehow more specifically why it’s failing for you (when it does or does not work on your end, based on such things as I shared), that could go a LOT further to them being able to fix why it’s not working for you. It may also help you spot that what’s amiss is actually something on your end, which I’ve helped people determine far more often than not.

    Again, I really am not trying to pick a fight with you. I hoped you’d be interested to hear that the test case can work in the setup you felt it failed. Perhaps others will chime in to confirm either way.

  79. @Charlie: are you running helicon ape, helicon rewrite or any other .htaccess addon in your iis? I can only re-test without rewriting… But it wont help as we cannot run without rewriting. I have read your comments, but not sure what else i should test. The only special thing we run is helicon ape. I guess they broken interoperability with the jakarta.dll fix they made. But i cannot look into the source code. If i find time i may compare debug connector logs from old and new connector.

  80. @Alex, thanks. So to be clear, I had said in #138 that I was NOT using rewriting, and I wondered how it would go for you if you might be able to test with it turned off.

    I hear you say “it won’t help” because you can’t run without it, but it will help at least if you can prove that THAT’s the issue. (And certainly you can run your small proof case without it, by setting the folder (or a new site) to disable rewriting.)

    It would then help Adobe help you. It could also help those who read your comments here, on your blog, or in that forum post to know what is a key to the issue (and I’d recommend if you DO confirm it that you make that clear here and in those places).

    Hope that’s helpful.

  81. I recently experienced issues with a very old CF server. We are running CF8 on several servers and CF5 on one even. It got hacked and after some forensics we were able to clean it up amazingly and get it back online. That got management to realize that indeed everything must be updated.

    We are a VMWARE Windows shop and use a DEV server and this is where my question comes. We have been using Standard version since the pricing went so high for Enterprise. I used to pay $2300 for CF 4.51 Enterprise from Ingram Micro directly but seems they were giving EDU pricing to everyone back then.

    Anyway how do I get a STANDARD DEV SERVER? If not why would a DEV server which is similar to Enterprise be an accurate test environment for me if we are running standard. Should I apply the standard license to the DEV server or will Adobe see that and shut it down?

    Additionally it seems that CF10 and CF11 are the buggiest releases ever.

    Is RAILO the answer?

  82. Getting no images displayed after Coldfusion 11 Update 4 installation on Windows/IIS7. All images generating “500 Internal Server Error”.

    CLUE to cause: When trying to view MIME Types for the individual site, received the error:

    Filename: ?C:XXXXXXXwwwrootweb.config
    Line number: 5
    Error: Cannot add duplicate collection entry of type ‘mimeMap’ with unique key attribute ‘fileExtension’ set to ‘.air’

    SOLUTION: Removed the following section from web.config since this MIME Type mapping already existed at the server level.

  83. FYI, since these issues appear to be with locked down servers. And, no, that is not an oddity. ALL PRODUCTION SERVERS SHOULD BE LOCKED DOWN.

    A user posted a question on StackOverflow as to why he could not update his ColdFusion installation after performing the lock down steps. He found out that the ColdFusion administrator’s update page relies on the /CFIDE/scripts directory to function (a-la the cfform tag). Since the lock down guide suggests denying any requests to that URI the update page was failing. He had to allow access in order to use the update feature. Here is a link to the post: http://stackoverflow.com/q/30205018/1636917

    This is not good! The update feature should not require exposing that URI. This should be changed. The user was on ColdFusion 11.

  84. @Krishna or @adobe

    I know this is an old post, but the previous comment (Comment 154 from 11/16) is obviously spam. Allowing comments like that through makes it appear that you do not care about this blog (or your readers who are subscribed to the thread). I’m seeing more and more of them on the posts I am subscribed to. You can do better.

Leave a reply