The security bulletin says to update to JDK 17 but the update page doesn’t say anything about it. ColdFusion2021 supported 11, I thought. Does 2021 support 17? That’s a big jump

JDK 17 is the next LTS version after JDK 11 so it's not quite as big a jump as it sounds (JDK 8 to 11 was a huge jump). It's certainly possible that updating from 11 to 17 for a product as complex as CF could cause problems (I think GC tuning stuff changed quite a bit... I think). I would certainly make sure you're on the latest JDK 11 patch (active support for JDK 11 ends in September, security support ends in three years; JDK 17 has three more years of active support and six years of security support).

CF 2021 Admin shows no packages available to install. I always update on the cmd line anyway, but this is confusing. Shouldn't a critical update show there?

It's a bit confusing but if your read the tech notes for each version I don't think it's required. I'm assuming that should just say "Update the JVM to the latest version for the version your are running" - ie: 11 for 2021 and 2018 and 17 for 2023?? @Mark Takata (Adobe) can someone clarify that?

@priyank_adobe @saghosh can we get clarification here? I think the answer is "update for the version you have" but I'm thinking the line "where applicable" here is critical. My understanding is that getting CF to run with Java 17 was a huge lift for CF23, so just dropping it into CF21/CF18 would break... um, everything. But I'm not 100% certain. Trying to get confirmation...

(as someone who has consistently updated their JVM stack as each new JDK is released, every six months, I'm disappointed to hear that "getting CF to run with Java 17 was a huge lift for CF23" -- I'd be very interested to hear why CF18/21 can't use JDK 17?) Our non-CF apps are running on JDK 20 across all tiers right now and we expect to update to JDK 21 in September. We did run into a couple of memory leaks with JDK 19 with

--enable-preview

(we're looking at leveraging virtual threads soon) but the ones that were affecting us were fixed for JDK 20 (one was backported to 19, one was not).

so whats the verdict the Java version recommendation for CF2018/CF2021 ?

Gareth I think those were two separate things. Like not and, or.

@Mark Takata (Adobe) Hmm, we went from 11 -> 14 -> 17 in production with next to no code changes as far as I can remember -- but we're pretty careful to avoid reflection for performance reasons 🙂 We tested 13 and 16 on dev too. Then we went to 18 in production, then 19 and hit memory leaks and went back to 18, and last week rolled everything up onto 20 (after a lot of A/B testing between 18, 19, and 20 looking for memory leaks!). One thing that changed in 19 (I think) was

Thread.sleep()

getting a new overload and causing reflection-related changes which led us to add casts to avoid that. (and I'll point out that Clojure is dynamically typed, like CFML, and compiles on demand to JVM bytecode, like CFML, so it relies on reflection stuff quite a bit under the good if you aren't focused on performance) JDK 21 will drop in just a few months and it's the next LTS version so... get testing! 🙂

Good times!

For folks following this thread, I address several of the issues discussed here in a blog post I did earlier today on the update. (No, I don't work for Adobe.) https://www.carehart.org/blog/2023/7/11/coldfusion_p1_security_update_july_2023

Thanks Charlie.

@Mark Takata (Adobe) I was wondering if you there were any updates you'd like to share after your engineering leadership meeting?

Sorry, yes, Java 17 is for CF23 ONLY. Most of the updates (including items pertaining to Tomcat & JVM arguments) are for JEE installs. I've asked the team to clarify the text to make it more clear.