March 24, 2020
Three reasons your sites may break, and how to fix them, after applying March 2020 update to CF2018 or 2016
Comments
(0)
March 24, 2020
Three reasons your sites may break, and how to fix them, after applying March 2020 update to CF2018 or 2016
ColdFusion troubleshooter
Legend 66 posts
Followers: 57 people
(0)

If your site/s are served to ColdFusion via IIS or Apache, note that those sites will fail immediately after applying the March 2020 CF updates, update 8 for CF2018 and update 14 for CF2016. But there’s an easy fix.

It’s not a bug, and CF is not broken. Instead, it’s simply that you need to take a second step right after the update, and you may need to take another step or two depending on your configuration.

The least you need to know

I’ve detailed things with much more explanation in a blog post on my own site, but I want to present the info here in the most brief form I can.

  1. You must run the CF web server configuration tool (wsconfig), to upgrade the connector(s) for your IIS/Apache site(s). Doing this will cause CF to implement a new “secret” (created by the CF update and placed into the AJP connector of CF’s server.xml file) into the workers.properties config file of your web server connector(s).

    Note that you don’t need to remove and re-add the connector: you need only use the upgrade feature available in the wsconfig tool, either as a button in the UI or as a -upgrade option at the command line, as you may prefer.  For more on upgrading your web connector, see another post I’d done in the recent past.

  2. Second, if your IIS or Apache web server is on a different machine than CF (an uncommon configuration), note that you will likely need to implement a required IP “address” attribute, also to be set for the AJP connector in CF’s server.xml file. This is because with the updated Tomcat AJP connector, it defaults to accepting requests only from the localhost/loopback addresses, 127.0.0.1 and ::1 (as a security measure). You need to tell the connector the IP address of any other machines whose web servers will talk to it.

    BTW, this step would also apply even if you have CF and the web server on the same machine, but you have for some reason modified your hosts file so that localhost resolves to an IP address other than the traditional loopback address. See my more details post for more info.

  3. Some may find they MAY need to make still one more change, if they STILL get errors after making the changes above, to add yet another new Tomcat AJP connector attribute, allowedRequestAttributesPattern=”.*” (that’s a dot and an asterisk), on the server.xml file’s AJP connector line.

    [Update after initial post: I had mistakenly put just *, originally. Sorry.]

Finding more detail

Some readers may be able to to take the ball (what I have shared above) and run with it.

But note that the technote for the updates (which I pointed to in my opening sentence here) do offer more details on each of these 3 points.

Beyond that many will have more questions (ranging from those who don’t do such updates often/don’t understand these things well, to those who DO apply such updates often/DO understand these things well), and I help such folks in the more elaborated post on this topic on my site, where I address the following questions/topics in more detail.

Dealing with the problem immediately:

  • How you can easily upgrade your CF web server connector
  • “I never ran this wsconfig tool, so does this not apply to my sites?”
  • Finding more about the update from Adobe
  • Why your sites may fail/what was changed with this update
  • How your sites may fail: what you may see
  • How this update affects any existing connector “secret” configuration
  • Handling if your web server is on a different machine than CF
  • What if I am in cf11 or earlier (or choose not to apply the Mar 2020 update), but want the security fix?

Thinking about the problem:

  • How would you have known of the need to upgrade the connector?
  • How such a connector upgrade was often recommended before, but is required with this update
  • How Adobe could make it MORE CLEAR that we might need to take these two extra steps
  • How these two “extra steps” will apply to those who skip this updates but do the next one
  • How a new CF installer for CF2018 and 2016 would really help us now
  • These changes are indeed ALL that this update implements

Finally, if you may have problems after applying the update and you feel that none of the 3 points above apply for you, see yet another blog post I’d done a year ago this month, “Having problems after applying a CF update? What to check, and how to recover!

Hope that’s helpful to readers.

0 Comments
Add Comment