Updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10 released

This post is to announce the release of updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10.

These updates address a common vulnerability mentioned in security bulletin APSB 16-16, upgrade the Tomcat engine and contain other bug fixes. 

ColdFusion 2016 Update 1

ColdFusion (2016 release) Update 1 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 8.0.32. This update includes several important bug fixes for security, core language features, server, and other areas.

For details, refer this technote.

ColdFusion 11 Update 8

ColdFusion 11 Update 8 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes several important bug fixes for security, language, AJAX, and other features.

For details, refer this technote,  

ColdFusion 10 Update 19

ColdFusion 10 Update 19 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes important bug fixes for security and server

For details, refer this technote

26 Responses

  1. Only 1 of my CF 11 servers is offering the update. Is this getting rolled out or is something wrong? They are all currently using Update 7

  2. I’m glad to see my REST-Bug fixed after exactly 18 months…
    For a bug that only affects PRODUCTION machines, this is pretty damn slow.

  3. haxtbh,
    Can you clear the browser cache and try to check for updates again. If that does not work, can you pls. confirm the following:
    What is the current update level of the server on which you do not see the new update notification? Is it a standalone or a JEE installation?
    Can you check the the update URL in the settings tab of the “server update” section in the CF admin console. Click on the “Restore Default URL” to ensure that it is correctly set. If you open up the updates XML file directly in the browser, do you see the new update elements?

    Paul,
    Not sure what you mean by “cfadmin update bits”. Pls. do clarify. In case you mean that you don’t see the applied update reflecting in the CF admin console’s “server updates” or “settings summary” section, then pls. check if it was update was successfully installed in the first place.
    You’ll find the update install log file at :
    cfusionhf-updateshf-11-00008 folder … in a standalone installation of CF.
    cfusion.warWEB-INFcfusionhf-updateshf-11-00008… in a JEE installation of CF.
    Applying the update should also place the update JAR file in the updates folder in the cfusion lib directory, amongst other changes.
    Also, which version of CF are you using?

  4. After applying update 8 on CF 11, getting “Service manager authentication failed for http://127.0.0.1:8987/PDFgServlet/. Re-register the service manager.” when calling tag. Add on Service is running and CF admin showing connection status as OK, when “verify all server managers” clicked.

    Any suggestions?

  5. Restarting both the CF service and the add on service corrected issue. Manual restart needed after update is applied since it did not complete on it’s own. Sorry for posting before that option was explored.

  6. CF11 updated to 8 on Win2012 successful. But… one of my sites (since the update) occasionally stops.. really hard to diagnose.. it’s as if the connector dies – resulting in a 404 as CF starts to look for the site here: C:ColdFusion11PRODUCTION02wwwrootindex.cfm, rather than passing the request to IIS which manages the URL rewriting and site location. Or is it IIS failing and CF taking over? Who knows – once the fix was to restart the site in IIS, but second time this didn’t work – required restarting the CF instance!

    Using CF Enterprise with IIS 8

    Any ideas/help appreciated.

  7. Wmulder,

    CF11 Update 8 does not carry any connector related changes. Update 7 did. You need not reconfigure the connector after applying Update 8, if you already had Update 7 installed and you had reconfigured the connector after installing it.

    Can you insure that the connector is in place by checking the handler mapping for cfm/cfc extensions in your IIS website. They should point to isapi_redirect.dll in your CF installation.
    There should also be a “jarkarta” virtual dir configured with the website.
    Also check if the connector related files are present at this directory “configwsconfig”.
    Any request for a resource (.html/.cfm) that comes to IIS at the designated port (usually 80) is forwarded to CF at the AJP port (8014 by default), only if the file extension is .cfm/.cfc.
    ColdFusion cannot take over any request coming to IIS.

  8. Hi Immanuel and Piyush,

    – problem didn’t exist until directly after 8 update. Previous update was 7 and connectors were reconfiged.

    Can you insure that the connector is in place by checking the handler mapping for cfm/cfc extensions in your IIS website. They should point to isapi_redirect.dll in your CF installation.
    – Handler mappings in place

    There should also be a “jarkarta” virtual dir configured with the website.
    – jakarta is present

    Also check if the connector related files are present at this directory “configwsconfig”.
    – all connector related files are in place

    Any request for a resource (.html/.cfm) that comes to IIS at the designated port (usually 80) is forwarded to CF at the AJP port (8014 by default), only if the file extension is .cfm/.cfc.
    ColdFusion cannot take over any request comming to IIS.
    – That’s what I would have thought 🙂

    The site has been working flawlessly since the last occurrence, However it did do what it did… It appeared that CF tried to process the request without IIS doing it’s thing with the Handlers(!).

    Your checks have now got me looking in the right place however, the isapi_redirect logs show something – any ideas:

    [Thu May 12 16:06:28.886 2016] [7208:4656] [info] HttpExtensionProc::jk_isapi_plugin.c (2759): service() failed because client aborted connection
    [Thu May 12 16:34:25.771 2016] [7208:4528] [error] isapi_write_client::jk_isapi_plugin.c (1454): WriteClient failed with 995 (0x000003e3)
    [Thu May 12 16:34:25.802 2016] [7208:4528] [info] ajp_process_callback::jk_ajp_common.c (2175): (PRODUCTION02) Writing to client aborted or client network problems
    [Thu May 12 16:34:25.817 2016] [7208:4528] [info] ajp_service::jk_ajp_common.c (2903): (PRODUCTION02) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1)
    [Thu May 12 16:34:25.817 2016] [7208:4528] [info] HttpExtensionProc::jk_isapi_plugin.c (2759): service() failed because client aborted connection
    [Thu May 12 17:49:38.405 2016] [7208:10340] [info] TerminateFilter::jk_isapi_plugin.c (2822): Tomcat/ISAPI/isapi_redirector/1.2.41 stopping

    Thanks
    Will.

  9. Wmulder,
    Can you try a simple hello world HTML page (that should keep CF out of the picture) in your site’s web root to make sure that is is functioning well.
    Similarly, try a simple no-frills CFML page placed in CF’s webroot /cfusion/wwwroot/, and try to access it in a browser over CF’s internal port (default : 8500).
    Note that the internal port may be disabled. So you may have to edit the server.xml file at /cfusion/runtime/conf/server.xml to uncomment the “internal webserver start” section, and restart the CF server.
    Are IIS and ColdFusion on the same machine?

  10. Update 8 doesn’t seem to want to install for me.

    I am running CF11 Update 7 (Enterprise Edition) and using CF Administrator to install Update 8. The update installs, the CF service restarts, but then I log back into CF Administrator and it shows that Update 7 is still the latest update installed. I have cleared browser cache, restarted CF services, and even restarted the entire server… no change.

    I see an “hf-11-00008” folder and hotfix_008.jar file in my CFcfusionhf-updates folder, and received no error message during the installation of the update. Any suggestions?

    And how do we install hotfixes manually on CF11?

  11. Follow up to my last post, here is portions of the Update 8 install log.

    The files in the first section (the ones it’s trying to move) don’t even exist… is that the issue?

    I also noticed it’s using a mix of / and in file paths for some reason.

    My CF user has full write permissions to the folders referenced in this error, and I’ve had no problems installing updates before.

    =================================================================================

    Moving files failed:
    Status: FATAL ERROR
    Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusionlibupdateschf11000007.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backuplibupdateschf11000007.jar

    Moving files failed:
    Status: FATAL ERROR
    Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/httpclient-4.3.5.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/httpclient-4.3.5.jar

    Moving files failed:
    Status: FATAL ERROR
    Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/httpclient-cache-4.3.5.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/httpclient-cache-4.3.5.jar

    Moving files failed:
    Status: FATAL ERROR
    Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/httpcore-4.3.2.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/httpcore-4.3.2.jar

    Moving files failed:
    Status: FATAL ERROR
    Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/httpmime-4.3.5.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/httpmime-4.3.5.jar

    Moving files failed:
    Status: FATAL ERROR
    Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/commons-net-3.0.1.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/commons-net-3.0.1.jar

    Moving files failed:
    Status: FATAL ERROR
    Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/commons-collections-3.2.1.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/commons-collections-3.2.1.jar

    =================================================================================

    Failed to delete directory
    Status: ERROR
    Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/httpclient-4.3.5.jar
    ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibhttpclient-4.3.5.jar

    Failed to delete directory
    Status: ERROR
    Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/httpclient-cache-4.3.5.jar
    ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibhttpclient-cache-4.3.5.jar

    Failed to delete directory
    Status: ERROR
    Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/httpcore-4.3.2.jar
    ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibhttpcore-4.3.2.jar

    Failed to delete directory
    Status: ERROR
    Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/httpmime-4.3.5.jar
    ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibhttpmime-4.3.5.jar

    Failed to delete directory
    Status: ERROR
    Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/commons-net-3.0.1.jar
    ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibcommons-net-3.0.1.jar

    Failed to delete directory
    Status: ERROR
    Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/commons-collections-3.2.1.jar
    ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibcommons-collections-3.2.1.jar

  12. Follow up to my two posts above:

    A command line install of Update 8 worked just fine.

    A technician with Adobe informs me that they have identified an issue with installing this update via the CF Administrator for those who have applied the official CF11 “lockdown” steps.

  13. Christopher,
    A possible reason can be that the CF service was still running, hence the updater was not able to move the jar files locked and used by the CF server, to a back up location.
    If your CF server is running with a non-administrator account, can you ensure that it has the permission to stop/start the CF services. That is, if you want to avoid running the updater manually every time a new update is out.

  14. Running ColdFusion 11 Update 7 works correctly on my Windows 7 system. My local website loads correctly and IIS has been verified as working (hello world). Once I install ColdFusion 11 Update 8 I receive the following message: http status 500 – coldfusion.server.ServiceFactory$Service NotAvaiableException: The Runtime service is not available.90 percent of the ColdFusion Lockdown Guide has been applied to the desktop.

Leave a reply

Your email address will not be published. Required fields are marked *

By submitting this form, you accept the Mollom privacy policy.

Related