ColdFusion 2023 (Update 6) and ColdFusion 2021 (Update 12) Security Updates are live now The following are live as part of this release : • ColdFusion 2023 Update 6 • ColdFusion 2021 Update 12 Security Vulnerabilities addressed in this release are mentioned here – Adobe Security Bulletin As a part of this update, • Docker Images for ColdFusion 2021 and 2023 will be pushed to AWS ECR & Docker Hub by tomorrow • CF Fiddle will be updated with the ColdFusion 2023 Update 6 & ColdFusion 2021 Update 12 by tomorrow

I ran into issues installing this update. Same issue I ran into with update 10 (hadn't done 11 😬). The Admin interface doesn't work (when I click the Download and Install button the modal comes up and then nothing happens). So I was using the command line (tried

cfpm

and

update all

as well as the

java -jar

on the downloaded hotfix file. In both cases there are errors when it gets to the step of copying two files from the tmp directory and the files aren't present.

Failed to copy hotfix files:/tmp/630469.tmp/dist/updates
                          Status: FATAL ERROR
                          Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:/opt/coldfusion2021/cfusion/lib/updates
                                            FATAL ERROR - /tmp/630469.tmp/dist/updates (No such file or directory)

Failed to copy hotfix files:/tmp/630469.tmp/dist/wwwroot
                          Status: FATAL ERROR
                          Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:/opt/coldfusion2021/cfusion/wwwroot
                                            FATAL ERROR - /tmp/630469.tmp/dist/wwwroot (No such file or directory)

Is this a known issue? Am I doing something completely wrong? (I don't think I am...) With update 10 I ended up having to do a fresh install to fix the instances. It was a mess to say the least.

@priyank_adobe @sandip_halder

I have a different problem installing ColdFusion 2021 (Update 12), coming from Update 11. For years I've used the Admin to download updates, then installed them via the command line, a one-liner like this: somedrive:\ColdFusion2021/jre/bin/java.exe -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar somedrive:\ColdFusion2021\bundles\updateinstallers\hotfix-012-330257.jar This time, the install appeared to run normally, and I can get into the admin, but no datasources can connect. Does that ring a bell with anyone? One thing I noticed after the fact was the step in the install instructions to update the pointer to bundles/bundlesdependency.json. That's not something I've ever done before. • Is that necessary in this upgrade flow? • Any chance not having done that is causing this current issue? • If it is the problem, how can I proceed from here? Do I need to roll back the install completely? Any other ideas?

@rodel30 For the issue #1 could you please check if in CF Administrator->Server Settings->Settings "Enable whitespace Management" checkbox is disabled? For the issue #2 with fatal errors, can you please check the 3 things mentioned below: 1. Was the hotfix jar run with Administrator privileges 2. Is that java -jar run with JDK 17 version for CF2023? 3. If latest JDK is used, have you used the flag "-Djdk.util.zip.disableZip64ExtraFieldValidation=true"

Thank you @Megha (I'm #2). 1. Yes I ran the update in a cmd prompt running as administrator. 2. As I said in my post, I was installing ColdFusion 2021 (Update 12), coming from Update 11, so I think that doesn't apply. However, I was using the jdk here: /ColdFusion2021/jre/bin/java.exe, which is what the update docs say to use. That's 11.0.11.0. That isn't what CF is actually configured to use, which is jdk-11.0.20, which I think is what's recommended for CF itself. Is that bit of the update install doc incorrect? Which of those java versions do you recommend for this operation? 3. As I said in my post, I did use the flag "-Djdk.util.zip.disableZip64ExtraFieldValidation=true", though I'm not sure it's needed for these versions of java. Other folks doing the command line version of this update, which jdk are you using? I haven't seen anyone else having problem I am.

Hi @Dave Merrill, I think there's slight confusion regarding issue #2 i referred to, it was for the fatal errors shared by @rodel30 In your case, could you please confirm the OS you are on and if there was no issue before the update and it got introduced after you applied it?

@Megha Oops, sorry to cross threads here, thanks for getting back to me. OS is Windows Server 2019 Datacenter version 1809. The server was running fine before this update -- This level of failure is impossible to miss, all database access fails. It's a dev and staging server, and there's a near mirror of it running in production, also with no issues. Which jdk we should we be using for the -jar step?

We support JDK 11 with ColdFusion 2021. So you could either use our bundled one itself, or any version of JDK 11

Any JDK11 should work for both for CF itself, and for the -jar operation doing the update? Do you have any other ideas for next steps if that's not the issue with this update? I'm in the process of reverting the whole cfusion directory to a copy I made before the update, so I'll be in a position to try again in a few minutes.

@Dave Merrill what is the JDK version you are using? is lt the latest one?

Everything's back working again after reverting the whole cfusion directory. Glad this isn't production!

Also, can you please confirm if the update went successful?

@priyank_adobe Thanks for jumping in. CF itself is using 11.0.20. For the update, I followed the update docs and used /ColdFusion2021/jre/bin/java.exe, which is 11.0.11.0. What do you recommend?

It is always recommended to use the JDK to run the update which is being used by CF.

@Megha #1 Yes, Enable Whitespace Management is unchecked in the settings. #2 Note: This is for ACF 2021 (not 2023). 1. Yes, it was run with

sudo

2. The jar was run with java-11-openjdk-amd64 (which is what we use to run CF for the instances) 3. Not applicable, given the response to 2.

@priyank_adobe OK, I'll use the jdk cf is using in the future. You might want to update the update docs to say that, rather than saying to use /ColdFusion2021/jre/bin/java.exe. The update appeared to run fine, and I could get into cf admin, but all datasources timed out. Didn't try anything else, sites won't run with no db connections. That appears to be due to the NoClassDefFoundError error I noted above.

just clear the felix-cache once and restart the CF after you install the update.

Hi Dave, if you a re trying again, can I suggest a screenshare session where I can help you with that?

@rodel30 Can you try by checking the whitespace checkbox, that should resolve the blank update window for you. And in case of running Java -jar via cmd, our shipped JDK is what we would recommend to use

@sandip_halder Thank you for your offer of a screen share. I'd be glad to do that, but unless my process is wrong, I'd like to do the update the way we usually do, so I can do it again on the production server. Please DM me with screen share instructions.

@Megha Yeah, I could try that with one of the instances. As far as the command line, @priyank_adobe just told Dave that the preferred java to use is the one that CF uses to run (which isn't necessarily the one packaged with CF). Can you two chat with each other and then actually decide what the correct suggestion is?

For anyone watching the thread of my issues with cf2021 update 12, @sandip_halder contacted me directly, and we did a Teams meeting where he quickly zeroed in on a fix. His help is much appreciated! Apparently this was a one-off failure, somehow the SQLServer package was broken. That's odd, because this update didn't have any packages in it, and the server has been running fine since update 11, which was the last one that did have some. The actual fix was to stop cf, uninstall the sqlserver package, restart cf so it recognizes that that package isn't installed, stop cf again, install sqlserver, and restart cf once more. That fixed the issue. Most likely, it wasn't caused by the update itself (or more people would have seen it), or by the -jar jdk version, just a random aberration. He also suggested running updates with the same jdk that cf itself is using, which isn't currently what the update docs say. He's going to get the docs updated, more as best practice than because there's any reason to think that was the cause of this problem. Again, props to Sandip and Adobe for exemplary customer service :)

For my issue, checking the "Enable whitespace management" fixed the Admin interface not working for installing updates. I ran the update via the admin and after it was done the instance was still on update 10. Checking the logs, it shows the same fatal errors of the temp files/directories not existing when expected.

Just to say it, re my sqlserver datasources issue, this validated our practice of backing up the cfusion directory before any updates. I've never had to use that backup before, but in this case, I replaced the existing cfusion directory with that backup, things worked again, then with Sandip's help, reapplied the update. So, if you're not doing similar backups before updating, Murphy says you really should! Super glad I didn't have to build out that server from scratch, will be even gladder if it happens in again production.

Using the

-Djdk.util.zip.disableZip64ExtraFieldValidation=true

argument for the java command solved the issue with temp files not existing. Thanks to @sandip_halder for helping sort that out!

I have a CF2023 server that was installed using the refreshed installer, so it came with Update 5. Update 6 is not showing up in the admin. I’m Running Windows 2022 Server.

@foundeo let me verify this. I did test this yesterday post release in both installers. But I will verify one more time.

I ran the lockdown installer on this server too, but pretty vanilla server other than that - haven’t even changed any settings in CF admin yet

@priyank_adobe @foundeo we're seeing exactly the same problem, no update 6 appearing in CFAdmin, but https://www.adobe.com/go/coldfusion-updates shows update 6 in the browser on the same machine

@davequested Could you please try now

still not there for me

For Coldfusion 2021 update 12 is bullet point #3 wrong on https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-12.html now under offline installation? I don't see the bundles folder anymore. So for "Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/*bundles*/bundlesdependency.json" I just see the bundlesdependency.json under hotfix-packages-cf2021-012-330257

@priyank_adobe I see it now, but now it never actually downloads, just says 'Starting Download ...' but nothing actually happens.

@davequested I am checking the issue right now

FYI changing the update site url to https://cfdownload.adobe.com/pub/adobe/coldfusion/xml/updates.xml and it now shows up for me

It will work now, I have made the changes

@priyank_adobe still stuck on 'Starting download ...'

@davequested Please check the directory, it is already downloaded. We saw this issue in one of the machine and found that the hotfix jar is already downloaded even though the UI says, it is downloading.

@priyank_adobe only update 5 in the hf-updates directory. Clicking on re-download or install just hangs on 'Starting download ...' I've tried restarting CF, no difference

@priyank_adobe @sandip_halder There's still something I'm not sure I have right, the piece of the update install instructions about "INSTALL THE UPDATE IN OFFLINE MODE MANUALLY '. We're not installing offline exactly -- the server has access to both our internal network and the public internet -- but we are applying updates via the command line, after downloading them. (We do that because our experience has been that that's more reliable than installing them through the admin UI.) Does this section of the install doc apply to that installation flow or not? We've never done the ' Update "packagesurl" ' step, or unzipped the update manually before running the -jar command, for the many updates we've installed on the cmd line. Am I doing this wrong? And just to say it, besides answering here, it'd be great if the update install instructions could be clearer on how to do this installation flow correctly.

@Dave Merrill it is not applicable to you, it is only for the users who do not have access to the internet and updater cannot download the packages from Adobe site.

OK, thank you for clarifying.

@priyank_adobe So hotfix-006-330617.jar is created in updateinstallers, 31,694kb, in Chrome the network tab continually fires http://localhost:8501/CFIDE/administrator/updates/download.cfc?method=getstatus&amp;id=hf-2023-00006-330617 It just continues forever. How do we force it to continue? I'm on Update 5. I've tried deleting the jar, trying again, just does the same, it downloads it, but continually stuck on download.cfc getstatus.

@davequested Install it via the command line maybe? I gave up on installing updates through the admin UI long ago, much less reliable than the cmd line.

Dave are you running Fusion Reactor? Is there anything in logs (either in Java or CF or even at the server) that's breaking on a restart of CF? Access permissions in folders for the auth account CF is running under all good? Absolutely no reason for the package to break on restart that I can think of. @priyank_adobe can you get a screen share going with Dave so he can show you the DS breaking and maybe you can delve into the logs in a way I haven't thought of here?

No FR on that dev server. It's on prod for that app, and both dev and prod for another one, but not here. I do have the coldfusion-error.log, which has various errors including one of these every time I test a datasource in the admin: java.lang.NoClassDefFoundError: com/ddtek/jdbc/extensions/ExtEmbeddedConnection

OK so I have no idea what I'm doing here (what else is new) but "ExtEmbeddedConnection" maybe possibly almost nearly kind of sounds like it is some kind of integration code for ExtJS? And since a lot of that stuff recently had a stern talking to, is it possible that the java file used for that is now now being found and is causing a downstream kerfluffle (technical term)?

Doubt it, this is SQL connection stuff, not js. The package Sandip had me replace was

sqlserver

. Full error stack is this:

Exception in thread "Thread-40" java.lang.NoClassDefFoundError: com/ddtek/jdbc/extensions/ExtEmbeddedConnection
	at macromedia.jdbc.sqlserver.base.r.dg(|SQLServer|6.0.0.1282|:49)
	at macromedia.jdbc.sqlserver.base.s.I(|SQLServer|6.0.0.1282|:135)
	at macromedia.jdbc.sqlserver.base.BaseDriver.connect(|SQLServer|6.0.0.1282|:190)
	at macromedia.jdbc.MacromediaDriver.connect(MacromediaDriver.java:256)
	at coldfusion.server.j2ee.sql.pool.JDBCPool.createPhysicalConnection(JDBCPool.java:666)
	at coldfusion.server.j2ee.sql.pool.ConnectionRunner$RunnableConnection.run(ConnectionRunner.java:67)
	at java.base/java.lang.Thread.run(Thread.java:834)

I mean, honestly the support engineers are 10x as experienced with working on these these than I am. I'm a code monkey at heart, not a server expert by any means... maybe @carehart can chime in here...

Sandip locked in on the sqlserver package immediately, and removing and reinstalling it did provide an immediate fix, but clearly that hasn't settled out the issue. Charlie's great, but we're a non-profit, and I don't have a mandate to hire him to solve what appears to be an issue w this update, at least in our environment.

wasn't suggesting that, more of a "has he seen this before" inquiry here.

I've not seen this specific issue before.

OK, thank you Charlie for chiming in. 🙂

Thanks @carehart, much appreciated.

Can you drop kick it onto a google drive and grant my Adobe email access rights? I finally convinced the powers that be that I needed an exception for using google services with my official email, so I can take a look there. I also just requested that we make this issue a priority item in our core meeting (engineering, support, marketing and product leadership) this evening to try and get some answers.

@sandip_halder @priyank_adobe @Mark Takata (Adobe) Mark and I spent quite a while yesterday investigating and trying things, but didn't come up with a repeatable fix for all datasources crashing with a low level java error. I understand that this is a rare failure, maybe unique to us, but Sandip validated our install process, and we're still stuck, can't deploy this update. Have you been able to understand this any further? I'm happy to do another Teams meeting, try stuff on my dev server, or help in any other way I can, but it'd really be great to get this resolved. And as I've said, I really appreciate everyone's assistance, very much.

Hi Dave, sorry, PST timezone here. 2 hours ago I was just getting done with a freezing cold run in the park. Brrrr. Priyank is preparing to get on a call with you to have you screen share repro the issue and then potentially look at other log files. I shared your log file as well as a very detailed description of what we did yesterday. I also shared this with the engineering and support leadership team last night.

Thanks Mark, I knew it was way early for you, was hoping to connect with Priyank and/or Sandip before it got too late for them. I have another commitment for the next hour, but I'll be available after that. Thank you again.

@Dave Merrill We heard from few other customers for the same issue and trying to replicate the same at our end. Could you please let me know if all the DB connections are MSSQL or any other DBs you are using?

Hi @priyank_adobe, yes all datasources on that machine are SQL Server.

@Dave Merrill I tried with and without the lockdown and I am still not able to replicate the issue. Can we get on a call to try this at your end?

Sure, DM me a Teams meeting (that's how I did it w Sandip), or however you'd like to connect.