http://coldfusion.com logo
Join Slack
Powered by
Updates to CF 2018 and CF 2021: <https://community...
# adobe
m
Updates to CF 2018 and CF 2021: https://community.adobe.com/t5/coldfusion-discussions/released-coldfusion-2021-and-2018-october-security-updates/m-p/13259746 NOTE: You MUST reinstall any custom hotfixes after applying these patches. They will be found here: /ColdFusion2021/cfusion/hf-updates/hf-2021-00005-330109/backup/lib/updates
Docker image updates coming soon...
f
Kudos CF team for getting the info out before the APSB is even published!
❤️ 3
m
I should also note, please read through all the info on the security portions, there's important details in there.
🧐 2
h
Installed this update in my dev environment manually as I've always done with java -jar hotfix.xxxxxxx and it looks like all of the packages were uninstalled. 😒
d
@hemi345 what do you mean? the update uninstalled packages that had previously been installed in cf?
h
Yes, every package was uninstalled after the update finished. I had to use cfpm to install administrator
When I tried to access teh CF administrator it told me the administrator package wasn't installed. So I did that and then went to packages and all the packages I had installed (about 18) were no longer installed.
m
@priyank_adobe have we heard of this occurring?
h
On one of my production servers, I see it says package updates available (18). So I guess in the process of the installer trying to update those, they got removed and supposed to be re-added. That part broke.
p
Let me try one more time and get back
In case update is installed, you can install the adminapi and administrator package using cfpm
h
yeah, that's what I needed to do.
m
That seems like a bug, right? Like, why is the update removing packages that are installed?
p
It could be but let me try once again. I ran the update in couple of servers before the release and it worked fine.
❤️ 1
Let me try and update however, I added the workaround in we you want to install the packages
h
the red "18" was what I was referring to above.
p
This is intended but I will confirm this.
h
and you can see the administrator package has a newer available version as shown in the expanded listbox.
p
Yes, there is an updated version available
d
Does anyone know why the ability to read log files via cf admin has been removed?
4
p
I tried the update on 2 different servers and update along with packages installed properly.
m
Priyank, I also did this and did not have the issues Mith encountered...
👍 1
p
Thanks Mark, I will continue to test this and will update everyone
d
@Mark Takata (Adobe) I saw that same info in the release notes, that's why I asked. (I haven't installed the update anywhere yet, waiting for the packages thing to settle.) That's not a feature I've used a lot, but it is occasionally useful, and it's just odd that it's been removed. If it's a security thing, I'd think that there are a lot of other capabilities in the admin that are more dangerous than that one.
m
I've got an email in to engineering about that. I DO use it quite a bit when debugging, and not having it in the admin is extremely annoying. And essentially every place I've worked I've taught that style of debugging to the devs. I am honestly completely flummoxed as to why it was actually removed, but I should hopefully know soon. This is a hell of a way to force our users into using a logging framework...
3
h
I used admin to view the log files occasionally also. It always bugged me that I had to root around the filesystem with Lucee to view them so I guess misery loves company.
p
@hemi345 Can you please confirm, if you have internet access in your Dev server?
d
Am I right that the appropriate java version for both the latest cf2018 and 2021 releases is JAVA SE 11.0.16.1 (LTS)?
p
@Dave Merrill You can use this Java version with both CF2018, CF2021.
d
@priyank_adobe Thanks, that's what I thought.
Do we have anything further about the removal of log file access from the admin?
p
This is an intended change and I understand that a lot developers quickly check the error/exception and there will be inconvenience however, they can go to logs directory and check the same.
h
@priyank_adobe no, the dev server is not internet accessible.
p
@hemi345 that is why it is not able to install the updated packages. You need to download the hotfix jar and packages and configure the same in CF Admin Settings and give the URL/Path for packages and then run the update installer and it will first uninstall the packages and then install the latest ones.
h
ah, I misinterpreted your question. The Dev server can access the internet, but is firewalled from having inbound traffic to it. I used the CF admin to download the update and then installed the update manually. I'll patch the production servers soon, so since I haven't seen other reports of this, it might be a one off thing.
p
if you need any help with update installation, you can reach out to our team.
❤️ 1
h
thank you Priyank, I appreciate it.
👍 1
m
@Dave Merrill the log access change was a security related issue. I am trying to see what we can do to return some of the functionality back in the future, but it will take some time.
d
@Mark Takata (Adobe) @priyank_adobe We typically don't allow direct access to the production server file system for most developers. Having web access is useful for those people, and should be protected in the same ways and to the same degree that the rest of the admin is protected.
👍 1
r
Chiming in here on the log access: we also do not have file-system access on the servers which would enable access to the logs, and likely never will. Losing access to the logs through the UI is a pretty big deal from a trouble-shooting standpoint.
☝️ 3
☝🏻 1
d
Sorry to repeat myself, but no answer, Do we think these updates may remove installed packages or not? That's kind of critical info. @Mark Takata (Adobe) @priyank_adobe Note that I'm not talking about the architectural issue of trying to install packages on a not-fully-current system, also important, but not my question. I want to know if I can update from 1 or 2 versions back without it removing packages that are already installed.
m
When I installed the update on my system, it did NOT remove packages I had installed. I believe @priyank_adobe also tested on several systems, and also did not encounter that issue. So far I've only seen one person who reported this. This type of thing by the way is a big reason I'm looking forward to the central management feature of Fortuna. You'd be able to apply an update and if it did something stupid, just hit undo and go back to the previous configuration with everything intact.
d
Thanks for the experiences Mark.
d
So, ACF removed the ability to view log files via the admin. So, exact how are you to view the log information? If you can't see the log information(i.e. don't have access to the server or file system, what good is the log? Seems like someone missed the boat here. Just saying.
😂 1
m
Drew, the viewer was removed for a good reason. I was also a heavy user of the in-admin log viewing tool (as horrible as it was) for debugging, so I'm doing what I can internally to get some kind of functionality back in. In the meantime, at least for my own use, I downloaded and am using "Universal Viewer", a freeware product that lets you view logs in a simple viewer. This is not a recommendation, please do your research and choose the product which fits your company's individual security requirements.
d
Ok I'll bite. Does anyone have a cf-based log viewer built or started? Seems like the major bits would be a) A list of the available log file types Then for each one: b) Directory location c) Maybe a filename filter if there's other stuff besides the actual log files in there d) A parser/viewer At least initially, I don't need to be able to archive or delete them, just look at them. Thoughts?
😳 1
m
Oh, I like this idea Dave.
d
Would Adobe care to contribute to such a thing you think? Can you say anything about the risks that caused this functionality to get removed from the admin, privately if you want, so we don't just recreate the same problem?
Open source would make it inherently auditable if anyone had concerns.
1
m
Dave, I have a note in to get clarity on what I'm allowed to share. I will also ask if there's anything we can do to support a log reader project. I personally think it is a very worthwhile endeavor.
24 Views
Open in Slack
PreviousNext
Powered by