Originally posted July 26 2021; updated Aug 5 2021
ColdFusion users should be aware that there were updates released last week (Jul 20) to the long-term support (LTS) versions of Oracle Java, versions 8 and 11. Java 11 is the version currently supported by CF2021 and CF2018.
For more on the JVM updates, see the Oracle technotes:
These updates, like most JVM updates, include security-related fixes. Among them are a high-scoring (more severe) one, CVE-2021-2388 and two lower-scoring ones, CVE-2021-2369 and CVE-2021-2341.
For some, that’s all they need to hear. They want to resolve any security concerns, they accept that there may be impacts due to those or other bug fixes, and they know to test things in other than production first. They also know how to update CF to use the new JVM, and that they should keep up-to-date on the JVM CF uses, etc.
Other folks may want (or need) to know a lot (or perhaps just a bit) more.
For that, see a post I did on my own blog in Apr with more info related to the last JVM update, and pointers to still more I’ve written about past Java updates. I also explain there how I can assist you directly in applying the updates, if that may be helpful.
The Adobe downloads page offering Java installers has now been updated to offer this new update (as of July 29).
Sadly, as of this writing, the Adobe downloads page offering Java installers has NOT yet been updated to offer this new update. This happens about every time there are JVM updates. They will show eventually, but if you don’t want to wait, see my post above for discussions I have offered in the past about how the binaries offered at Oracle are identical in my testing.
One last thing: you may have heard in recent weeks of a planned change that Adobe was going to make, switching from supporting the Oracle JVM (as they have since CF6) to the open source Azul JVM. Those plans were announced in June, but that blog post was updated just last week to indicate that the plans for that JVM vendor change have been postponed to at least December 2021.
To be clear, for now CF still only formally supports the Oracle JVM, and the only version that CF2018 and 2021 currently support is Java 11 (and its updates). The expectation is that Java 17 will be the next “Long-Term Support” (LTS) release of Java, and CF will likely be updated to support that later this year.
Just like it’s important to keep your CF version updated, it’s often just as important (for security reasons, bug fixes) to keep up-to-date on the JVM that CF us using. Think of it like flossing, or changing your engine oil.
For more blog content from Charlie Arehart, see his posts here as well as his posts at carehart.org. And follow him on Twitter and other social media as carehart.
Thanks Charlie and Priyank,
JAVA SE 11.0.12 (LTS) is available on the downloads page now, the checksum.txt link isn’t found at the moment, but I was able to match the checksum on my download via this Oracle page: https://www.oracle.com/webfolder/s/digest/11-0-12-checksum.html
Hi Charlie,
I have the notification setup and also I have all the dates which Oracle mentioned in their article. Though the delay happens because I have to get this updated in downloads page. Let me work with the team and see if we can make this process less time consuming.
-Priyank
You must be logged in to post a comment.