DataBank has issued a Security Bulletin to all of their ColdFusion clients about the recent Adobe ColdFusion Vulnerability. Databank has partnered with CF Webtools to do the patching for all of their ColdFusion client's servers.
CF Webtools is a full service ColdFusion consulting company provided high quality development services and specializing in the ColdFusion stack. If it has to do with ColdFusion we will be able to help!
Both CF Webtools and DataBank are highly engaged in helping their customers maintain secure environments. Patching and regular maintenance are part of that process. If you haven't yet patched your server – whether you host with a high quality provider like DataBank or host it yourself – give us a call at (402) 408-3733 and we will take the worry out of ColdFusion security.
Adobe just released security updates for ColdFusion 11 and ColdFusion 2016. This is a critical security update and you should be updating your ColdFusion servers. The information below is from the CF Webtools operations group. If you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com. Meanwhile, this info below will help IT staff and DIY types get started.
With ColdFusion 11 Update 13 and ColdFusion 2016 Update 5 there are additional manual updates that are required to complete the security patch. The additional requirements are the same for both ColdFusion 11 and ColdFusion 2016 and the remaining information pertains to both versions. Both updates require that ColdFusion be running on Java version 1.8.0_121 or higher. For reference, ColdFusion 11 comes with Java version 1.8.0_25 and ColdFusion 2016 comes with Java version 1.8.0_72. The Java that needs to be installed is different from the "Windows User" Java client that may already be installed. The installer is available from Oracle. Once the new Java version installed, the jvm.config file for each ColdFusion instance needs to be updated to point to the new Java version installation path. If you're running the Enterprise version of ColdFusion, there's a likely chance there is more than one ColdFusion instance running.
Part of the instructions from Adobe says that if your ColdFusion server is installed as J2EE server then there is an addiction manual configuration that you ned to do. However, every installation of ColdFusion since the release of ColdFusion 10 is a J2EE or JEE installation. What Adobe really meant was that if you are using a third party JEE server and not the built-in Tomcat JEE server.
If your ColdFusion server is running on a third party JEE server such as WebLogic, Wildly, custom Apache Tomcat, etc (Not the built in Tomcat that comes with ColdFusion), then the following step needs to be completed.
Set the following JVM flag, "-Djdk.serialFilter=!org.mozilla.** ", in the respective startup file depending on the type of Application Server being used.
For example,
This is one more friendly reminder to make sure your ColdFusion servers are patched! Either patch them yourself, have your hosting provider patch them or if they are not familiar or knowledgeable with ColdFusion contact us at CF Webtools to patch your servers.
As always, if you need help migrating to the next version, scanning your ColdFusion server for security vectors or installing this patch and new Java version, contact your project or account manager directly, or send an email to support@cfwebtools.com. You can also simply respond to this email (or call 403-408-3733).
*Note: ColdFusion11 when it was first released came with a version of Java 1.7.0_nn. Adobe later re-released ColdFusion 11 with Java 1.8.0_25. If you have ColdFusion 11 still running on Java 1.7 I highly recommend that Java be upgraded to Java 1.8. Oracle is no longer supporting Java 1.7 and 1.7 is long past it's end of life. Even though the Adobe instructions for this current security update states that you can run Java 1.7.0_131, I highly recommend upgrading to Java 1.8.
You may know that MSSQL allows for "implicit conversion" between data types. For example if you have a character column and you pass it a number without single quotes (as in myCharCol = 1), MSSQL will automatically convert the value 1 into a character for the purpose of the query. On a Coldfusion 5 server this behavior carries through seamlessly even when you are binding data using cfqueryparam. However, if you are using cfqueryparam in a query on a CF 5 server and also relying on implicit conversion within the same query you should know that you may have a problem getting that cfquery to work in Coldfusion MX. The issue is that JDBC "prepares" the statement by validating against the schema. Here's an example:
Read More
My friend and fellow Guru Ryan Stille has written an outstanding tutorial on upgrading your JVM. In case you didn't know, you will need to move your JVM up to 1.4.2_11 prior to March 11th in order to comply with new daylight savings time standards.
CF Muse Reader, Eric Priest from Montana University, Asks:
We are getting ready to upgrade our web and database servers from Windows 2000, running SQL server 2000, 32-bit, to Windows 2003 server running SQL server 2005, 64-bit. We have a lot of legacy applications written in JavaScript and Coldfusion mx studio. I am wondering if these changes will break any of our existing applications and how can I determine the impacts?
First, you should know that this is not a widely used platform yet - at least not for web servers. Secondly, if you are running both SQL 2005 and Coldfusion on the same 64 bit server make sure and buy 6 Gigs or more of RAM. Now, assuming you have separate servers SQL will run splendidly in 64 bit mode (assuming you have the right version). Let's talk about Coldfusion.
Read More
In my previous post on the topic of integrating MQSeries with Coldfusion MX I included some sample code for sending and retrieving messages to "put" and "get" queues using an MQManager object. This post has a correction and addition to that original sample code.
Read More
This post may be one that very few of my readers will care about. But if you are the 1 reader in 1000 that needs to know how to connect to MQSeries version 6 using coldfusion then this post may prove a life saver. You can benefit from the 50 hours of my life I spent figuring this out that I will never get back. Here's the scoop. We have a client who needs to upgrade a Coldfusion installation running on CF 5. The current installation uses COM. Under a load it becomes unresponsive.
NOTE: There is an update to this post that was entered on 4/24.
Picture this - a good customer comes to you with a complex application running nicely on Coldfusion 5.0. It has a few performance issues, but much of it is related to the code not the platform. He or she poses this question, "Why should I move to Coldfusion MX"? Hmmmmmm....
Read More