We are pleased to announce that we have released the updates for the following ColdFusion versions:
- ColdFusion (2021 release) Update 1
- ColdFusion (2018 release) Update 11
- ColdFusion (2016 release) Update 17
In these updates, we’ve fixed a few security bugs and some other bugs, which are mentioned in the tech notes.
In ColdFusion (2021 release), we’ve added activation and deactivation of Virtual core licenses. In addition, we’ve introduced support for RHEL 8.3, WildFly 23, Tomcat 9.0.43, PostgreSQL 13, Oracle 19c (2018), and MS SQL Server 2019.
For more information, see the tech notes below:
- ColdFusion (2021 release) Update 1
- ColdFusion (2018 release) Update 11
- ColdFusion (2016 release) Update 17
These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB21-16.
We’ve also updated Performance Monitoring Toolset for the 2018 and 2021 releases of ColdFusion. Check out the tech notes:
- ColdFusion 2018 Performance Monitoring Toolset Update 2
- ColdFusion 2021 Performance Monitoring Toolset Update 1
Please update your ColdFusion versions today. Let us know if you face any issues while installing the updates. Your feedback is essential to further enhancing the product.
The Docker images have also been updated.
We thank you for your continuing support.
Just a warning to anyone upgrading to CF2018 update 11. Adobe changed the default handling of SAMEFORMFIELDSASARRAY. This variable was previously set to FALSE. Official Adobe documentation still identifies the server default value for SAMEFORMFIELDSASARRAY as FALSE. However, Adobe decided to change the server default to TRUE with update 11. This will cause any code that previously processed form submissions with multiple fields that use the same name, like checkboxes, to be read as an array instead of a list. I reported this bug a month ago, and there has been no response from Adobe or any information about a fix for this new error they introduced with the CF2018 update 11. Very disappointing Adobe.
This also affects CFSTOREDPROC! Normally you would reference the name given to the “resultSet” by resultSet.fieldName but the same error experience as above is returned. It breaks under both a single element being returned or query being returned. My initial resultSet was a query with the same problem as above. I have edited the SQL stored procedure to return a simple value of ‘1’ but again the same problem appears.
We updated from CF2018 Update 10 to the newest CF2018 Update 11. Several of our processes broke immediately after the update. All involved handling form data when multiple inputs had the same name. Previously ColdFusion would return the form data as a comma separated list. Now, after the update ColdFusion is returning the form data as an array. Any way to change this back to the default behavior? I did not see any mention of this in the notes for the update 11. CF has handled the form submissions when multiple inputs had the same name as a comma separated list forever. It seems like a change to this should have been publicized.
A quick update. I found some additional information here It seems Adobe changed the default handling of forms (sameformfieldsasarray) with the CF2018 Update 11. This is causing all kinds of problems for some of our older code. Fortunately we found this in development before this change impacted production systems. The work-around for this issue, introduced by Adobe, is detailed in the link above.
Another doc-related observation for you, Saurav (and for interested readers).
In the CF2021 update 1 technote, I have just noticed that it does not have a table at the bottom tracking whether the web server connector has been updated, where such a table HAS been at the bottom of the update technotes for CF2018 and for 2016. I can confirm that the connector was NOT updated, but it would be helpful to get that table there, for those who look for it.
FWIW, those two most recent technotes for CF2018 and 2016 I link to above DO show a “yes” in the table at the bottom of each, indicating that the connector was updated with these latest releases. But I’ve done a close comparison of the connector files before and after the update (after upgrading the connector, of course), and I find that the IIS connector has not changed, at all, but the Apache connector has indeed changed (only slightly, it seems). I realize you don’t make that sort of distinction in the table, but I offer this to help other readers who may find this. I may do a blog post with more detail.
But again, my main reason for writing this comment is the missing table in the CF2021 update 1 technote. Thanks.
Adobe folks, there is no Docker image for the CF2021 PMT (Performance Monitoring Toolset) at the CF Docker image site, https://bintray.com/eaps/coldfusion/cf%3Apmt#files/cf/pmt. (To be clear, I do see that Docker images for CF2021 and even the recent update 1 on the page for CF images.)
I also see no Docker images for the 2021 version of the CF add-on service, nor for the 2021 version of the API Manager or its own add-on services . Again, the CF2018 versions of all these things are there and have their latest updates. It’s just the 2021 version of things that have not even been added other than for CF itself.
When would the 2021 versions of these things be added? Thanks.
I am excited to see this blog post mention activation/deactivation for “virtual core licenses”. Especially because the documentation link it takes you to mentions. “You can purchase licenses for Virtual core ColdFusion units.”.
How do I actually go about purchasing licenses for Virtual core ColdFusion units, and what does that mean? I can only find the Standard/Enterprise editions for sale as usual on the relevant Adobe webpages.
Fair point, Peter. And some may well be a bit confused about things.
First, it may interest some readers to know that folks have often found that various databases worked from CF even before Adobe “formally supported” them, while others felt that they couldn’t “move to the new DB” until Adobe did.
Technically, it’s not even Adobe that really needs to “add the support” to start but the vendor from whom they buy the built-in DB drivers, which is DataDirect/Progress. Then Adobe has to get them, test them, and then release them with CF.
Then again, if one instead obtained a JDBC driver from elsewhere (like the Microsoft-provided SQL Server JDBC driver), then that could provide “support” for a newer db well before Adobe/DataDirect would. That’s something else to keep in mind when one wants a DB supported “before Adobe supports it”. Of course, there’s still no guarantee that things will work, but usually they do, as you are observing.
But finally, FWIW, while this post says that SQL Server 2019 support is new with this update, there was a comment from Adobe in the blog post from Nov in 2020 when CF2021 came out that indicated that it was supported “formally” even then, though it had not been indicated on the new support matrix.
Hope that helps some readers.
After updating CF2018 and doing an upgrade on the web server configuration tool on our staging server, we are getting the following errors on any page that has the Elvis operator:
coldfusion.runtime.CFPage._isDefinedElvis(Ljava/lang/StringLjava/lang/Object; null
The update worked fine on our other servers.
UPDATE: uninstalling and reinstalling the update fixed the issue.
vertizonal, I see you updated your note to say the problem was fixed by reinstalling the update. Great to hear.
As for understanding what may have happened the first time, you may find (even with the reinstall) the explanation in the log for for the first attempted update. Though many are not aware, there’s a log kept for each update attempt. And there’s a count of errors (and successes) which really should be checked after any cf update.
I discuss this more here:
Thanks, Charlie. I don’t see anything amiss here, though (see below), and now I have another server that has the same issue, but I am unable to fix it. We can remove all code that uses ?:, but I’m concerned that the problem may be deeper than this.
Summary
——-
Installation: Successful.
3329 Successes
0 Warnings
0 NonFatalErrors
0 FatalErrors
More info from the stack trace:
java.lang.NoSuchMethodError: coldfusion.runtime.CFPage._isDefinedElvis(Ljava/lang/String;)Ljava/lang/Object;
at cftemplate_accessories_flanges2ecfm1837761299$func_CF_ANONYMOUSCLOSURE_ELVIS10.runFunction(C:[page].cfm:5)
at coldfusion.runtime.Closure.invoke(Closure.java:111)
at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:448)
at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95)
at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:399)
at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:372)
at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:288)
at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:4175)
at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:4155)
at coldfusion.runtime.CfJspPage._invokeElvisUDF(CfJspPage.java:4079)
Ugh – I finally got this fixed, thanks to comments on this post: https://tracker.adobe.com/#/view/CF-4208310
UPDATE: Charlie also just updated the info there with some good info as well, so be sure to read his posts at the bottom of the thread.
Saurav, can you please ensure that some of the info shared above is also shared in the update technotes? For example, I just noticed after updating CF2018 to u11 that the CF admin reports it is running Tomcat 9.0.41. That’s great news (important as another security improvement), but there’s no mention of that in the technote for that update, so I (and perhaps many others) had no reason to expect it–unless they saw this post.
To be clear, when the last such Tomcat version change happened, CF2018 update 5, its technote indicated that Tomcat version change, to 9.0.21).
This change (and the other library changes above) are also not mentioned in the page highlighting the major changes across all the CF2018 updates, the CF2018 update release notes page, though again that shows how the Tomcat version changed in update 5. (And FWIW, this same set of concerns applies to CF2016, and its Tomcat 8 version, which went from 8.5.42 to 8.5.61. And CF2021’s Tomcat updated from 9.0.37 to 9.0.41. BTW, the post here refers to Tomcat being updated to 9.0.43, which may just be a simple typo.)
Also, the popup for the update within the CF Admin indicated also that, “ColdFusion (2018 release) Update 11 includes bug fixes and enhancements in Language, Accessibility, PMT, Installation, Security and other areas and important library upgrades (Tomcat, Jetty, ESAPI, JPedal, etc), and support for new platforms.” The same sort of info is also offered in the popup in the admin for the updates to CF2021 and CF2016.
I see no mention above any such “enhancements” in those areas, nor are any mentioned on the CF2018 update 11 technote. There’s also no mention here or there to any version changes for Jetty or the others. (And this is so for the update technotes of the other versions.)
And if indeed there ARE any “enhancements”, it would seem that the technote for the update and release notes/summary should indicate them. None are indicated in those, nor in this blog post.
Not complaining to nit-pick but to reconcile things, and especially to help folks who may be looking in one place but not another.
Saurav?
I’ve been helping many people here answering their questions. I’d appreciate someone answering mine (this and the first 3 below, from last week), which are focused on trying to help others, as well other questions that remain like Legorol’s above.
Question about applying the updates manually. The instructions documented here:
https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-11.html
include the statement:
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
What if you have replaced the bundled JRE with a more recent one? Can that JRE be used to apply the update, or must you always apply updates with the bundled JRE?
Michael
It’s an interesting question. Technically, the point they’re getting at is that if you happened to have installed on your box some older jvm (or super newer one), the one you use to run the update jar ought to be a version that Adobe supports for that release of CF. (In the case of CF2018 and 2021, that’s Java 11.)
So no, it’s not so much that it MUST be the one in CF’s JRE folder. It can be the one that CF has been changed to use. Just make sure it’s not some very older or newer one. 🙂
Make sense? I would agree they could make that more clear.
Charlie,
This warning is for ColdFusion 2021 and it is only applicable on windows platforms if you are using a custom service name other than the default service name i.e. “ColdFusion 2021 Application Server”. It has nothing to do with the user account privileges that is used to run CF service.
Thanks, Nimit. And that’s indeed very different. I think the wording could leave others thinking you meant what I refer to.
But to that point, you don’t comment on whether you recognize and agree with that being an issue also. Can you clarify: do you (does the CF team) agree it’s also a problem running updates via the admin, if the Windows service is running as a user other than the local system account? The update will fail to stop the service, thus leading to errors in the update. And this is in any release from 10 to 2021. Shouldn’t there be a warning for that, to apply the update manually in that case also?
Finally, I also raised two other issues for the cf team related to the updates.
Also, Saurav (or anyone at Adobe), while it’s great to see that the Docker images for CF were updated as well, on visiting the site, a big warning appears in red there (at the BinTray site you guys have long used, instead of Docker Hub) indicating that Bintray will be going away in just a few weeks (May 1st 2021), with more here.
With that news, will you guys be switching to Docker Hub? Or something else? Or paying them to keep your account open? It sure would be nice if the ACF images were in Docker Hub, but I assumed you had a reason (perhaps financial) to not host them there. But we need to know the new location sooner than later.
Thanks for the news, Saurav. There are a couple of issues with the update technotes, though:
First, I’ve had someone point out to me that the CF2018 update technote doesn’t list fixes to bugs which were indeed indicated in Tracker to have been fixed in update 1 (like CF-4210921), and which they find are indeed fixed per the update. Another is CF-4210954. That seems simply an oversight, but could you get someone to properly list all the fixed bugs in that technote (and same for the technotes for CF2016 and CF2021, if there are any similar.)
That one was not so bad (just a lack of info but still a good result). The next issue is also a lack of info but could to a bad result.
As you know, the CF2021 update technote now has a warning to folks on Windows that they should not use the CF Admin UI to do an update, if they are running CF as a service with a user other than the local system account. That’s not really a feature new and unique to CF2021, though. And it’s NOT listed in the CF2018 or 2016 update technotes. Of course, the workaround is different: rather than use the new cfpm feature, those on CF2018 and 2016 would need to run the update from the command line as a java jar (which is indeed documented in the update technotes–but only as an option, not as a recommendation for those running CF as a Windows service as a limited function user).
Could you get that added–and preferably even to past ones?
For those not familiar with the second problem, it’s that the user running the service doesn’t have the authority to stop the CF (and related services), so the service doesn’t stop, and therefore the updates fail. But running the update from the command line instead (especially as an admin user), that IS able to stop the service (or you could stop them manually before doing the manual update).
Yes, it’s frustrating that the “simple one-click admin update” feature has not proven for many to work as well as it should. Again, at least if you know of the problem and do the update manually, it will work. (There are even other approaches, but this is not the right place to list those. I have long meant to do a blog post on the topic.)
Anyway, hope the info above could help people. Of course, many people won’t read the technote at all, even though it’s linked to from the update. You can lead a horse to water…)
For folks who get stuck and can’t get their CF working, I have been helping people recover from and properly handle such things for several years. More at the consulting page of carehart.org. Or you can find other CF troubleshooting consultants also as a category of my CF411 page.
You must be logged in to post a comment.