Updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10 released

This post is to announce the release of updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10.

These updates address a common vulnerability mentioned in security bulletin APSB 16-16, upgrade the Tomcat engine and contain other bug fixes. 

ColdFusion 2016 Update 1

ColdFusion (2016 release) Update 1 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 8.0.32. This update includes several important bug fixes for security, core language features, server, and other areas.

For details, refer this technote.

ColdFusion 11 Update 8

ColdFusion 11 Update 8 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes several important bug fixes for security, language, AJAX, and other features.

For details, refer this technote,  

ColdFusion 10 Update 19

ColdFusion 10 Update 19 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes important bug fixes for security and server

For details, refer this technote

Application deployed on Network/Remote Path – Identifying Network Latency – Improve Performance

Many a time, ColdFusion application code is deployed on a network path when your ColdFusion deployments are of large-scale and mandated to use network paths.

After setting up the server for the first time, if there is any performance hit, as the first thing you would want to cross-check few things. One of the things to determine is if there is any network latency.

Though you would have got same network within your organization same as earlier, your OS version also would have changed.

Follow the steps below to see if the performance hit is due to network latency-

When the server is under moderate or full load(with at least 8-10 requests under process), take 2 or 3 thread dumps with 30 seconds interval.

It is not appropriate to take thread dump when the server has negligible load and anlyze that as there may not be any in-process requests.

If you are not sure how to take thread dump, you can simply follow the following blog.

( Taking Thread Dumps From ColdFusion Server Programmatically )

Open the thread dump file:

Under moderate or full load server conditions, if you see more than 5-8% of running ColdFusion threads containing “WinNTFileSystem” in the thread’s stack trace –> It means that there is lot of time being spent in trying to resolve the application file paths.

Following are the sample threads having WinNTFileSystem in its dump.

"ajp-bio-8014-exec-6861" Id=13898 in RUNNABLE
 java.lang.Thread.State: RUNNABLE
 prio=5 blockedtime=28963 blockedcount=6819 waitedtime=421762 waitedcount=115
    at java.io.WinNTFileSystem.getBooleanAttributes(Native Method)
    at java.io.File.isFile(File.java:876)

 

"ajp-bio-8014-exec-6861" Id=13898 in RUNNABLE (running in native)
 java.lang.Thread.State: RUNNABLE
 prio=5 blockedtime=28961 blockedcount=6814 waitedtime=421762 waitedcount=115
    at java.io.WinNTFileSystem.canonicalize0(Native Method)
    at java.io.Win32FileSystem.canonicalize(Win32FileSystem.java:414)
    at java.io.File.getCanonicalPath(File.java:618)

 

(Note: ColdFusion threads can be identified by the name starting with "ajp-" )

For Example, if there are 50 threads with thread name starting "ajp-bio-" in the thread dump, if you see WinNTFileSystem in more than 2-3 threads, it is the time you start looking at minimizing the network latency.

 

Once you know there is latency, you would want to know how much is the latency when compared to the application existing locally.

Created a very basic network latency test program to validate this.

You can take the jar from here.

And run it from command prompt as follows:

> C:ColdFusion11jrebinjava -jar <Path of NetworkPathsTest.jar> <Network or Local Directory Path >

If the network path (Ex:- \orgserverd$) is accessible only to the ColdFusion service user, open command prompt as that user ( runas /user:<cfserviceaccount domainname>cfserviceusername CMD )

 

Examples:

Path Arguments can be one or more. More Path arguments is a good measure to see the difference clearly.

C:ColdFusion11jrebinjava -jar C:ColdFusion11NetworkPathTest.jar \orgserverd$deploycfm

C:ColdFusion11jrebinjava -jar C:ColdFusion11NetworkPathTest.jar \orgserverd$deploycfm \orgserverd$deploycfmapi

Try the same paths keeping the content same on the local machine and see the time differences.

For the same paths on local and remote, the difference in time should not be exponential.

These tests are to be performed on your ColdFusion server machine.

Once you have validations and found any latencies, it is the time to call for network optimization expertise.

 

 

ColdFusion 11 Update 7 and ColdFusion 10 Update 18 are now available

This post is to announce the release of new updates for ColdFusion 11 and ColdFusion 10.

ColdFusion 11 Update 7

ColdFusion 11 Update 7 includes support for Windows 10 and OS X 10.11. Tomcat has been upgraded to version 7.0.64. This update addresses a vulnerability mentioned in the security bulletin APSB15-29 and also includes bug fixes related to connector, database, language, caching and certain other areas.

For more details, refer to this article.

ColdFusion 10 Update 18

ColdFusion 10 Update 18 includes support for Windows 10 and OS X 10.11. Tomcat has been upgraded to version 7.0.64. This update addresses a vulnerability mentioned in the security bulletin APSB15-29 and also includes bug fixes related to connector, language, caching and certain other areas.

For more details, refer to this article.

For those who have applied the early access release (pre-release) build of Update 7 or Update 18, follow the steps below to reinstall Update 7 or Update 18, as applicable.

1.     Uninstall Update 7 (PreRelease) or Update 18(PreRelease). 

2.     Reinstate the update URL by clicking on the “Restore Default URL” button in the “Server Updates” section in the ColdFusion administrator.

3.     Switch to the “Available Updates” tab and click on the “Check for Updates” button.

4.     Download and install Update 7 or Update 18.

 

ColdFusion 11 Update 7 is available for early access

Update: Since this post was made, the final version of Update 7 was released and should be used instead.

 

ColdFusion 11 Update 7 early access build is now available for your testing and feedback. It includes support for Tomcat 7.0.64, Windnws 10 and Mac 10.11 along with several bug fixes.

Please note that this is a test build and should not be used in a production environment.

Refer this document for the list of bugs fixed in this update.

Follow the steps below to apply this update.

  1. Navigate to ColdFusion Administrator -> Server Updates -> Updates.
  2. Under Settings tab, check "Automatically Check for Updates" check box
  3. Change the Site URL to https://cfdownload.adobe.com/pub/adobe/coldfusion/PR/updates.xml. 
  4. Click Submit to save your changes.
  5. Under the "Available Updates" tab, click on the “Check for Updates” button.
  6. "ColdFusion 11 Update 7(PreRelease)" should be listed under the "Available updates" tab. 
  7. Click on the "Download and Install" button to install the update.
To apply this update manually, click on this link to download the update jar. To run the downloaded jar, execute the following command:
java -jar <jar-file-dir>/hotfix_007.jar
You should use the JRE used by CF for running the update jar (for standlaone CF, it should be <cf_root>/jre/bin)
MD5: 2248f3a1401fe658b40743102c5d5999
For further details on the manual application of the updater follow this help article.
 
The build number after applying this update should be 11,0,07,296112(PreRelease).

In case, you have configured local site for receiving the update notifications, then please take back up of the URL before changing it to the prerelease URL.

We will look forward to your valuable feedback and suggestions.
 

Running ColdFusion 10 and 11 on Windows 10

 

Important update: Note that ColdFusion 10 and 11 have been updated to support Windows 10, a few weeks after this blog post was first written. Consider applying that update rather than this preliminary wsconfig update.

 

Windows 10 is not certified yet with ColdFusion 10 and 11. The certification will be available as part of the next update. However, you can run ColdFusion 10 or ColdFusion 11 on your development environment by following the below outlined steps. 

ColdFusion 11 32-bit/64-bit

Link for updated wsconfig.jar

1.       Please take a backup of the existing wsconfig.jar at ColdFusion11cfusionruntimelib and move it outside ColdFusion directory.

2.       Stop the ColdFusion services and remove the older wsconfig.jar. 

3.       Download the jar files from the links above.

4.       Place them in the location mentioned in Step1 and restart IIS/ColdFusion.

5.       Please take a backup of the connector folder at ColdFusion11configwsconfig[magic number].

6.       Recreate the connector and test your application.

 

ColdFusion 10 32-bit/64-bit

Link for updated wsconfig.jar

1.       Please take a backup of the existing wsconfig.jar at ColdFusion10cfusionruntimelib and move it outside ColdFusion directory.

2.       Stop the ColdFusion services and remove the older wsconfig.jar. 

3.       Download the jar files from the links above.

4.       Place them in the location mentioned in Step1 and restart IIS/ColdFusion.

5.       Please take a backup of the connector folder at ColdFusion10configwsconfig[magic number].

6.       Recreate the connector and test your application.

 

In case you will have any questions please feel free to contact us at cf.install@adobe.com and we will be more than happy to assist you.

ColdFusion 11 Migration Guide

We are happy to announce the
first release of Migration Guide for ColdFusion 11. This guide will help you,
to migrate your ColdFusion 9 and ColdFusion 10 servers to ColdFusion 11
seamlessly. This guide also gives a fair overview for migration of legacy
servers to the most recent and supported versions. This helps you understand
the various phases of migration, along with, how to use Code Analyzer. The Code
Analyzer reviews the CFML pages that you specify and informs you of any
potential compatibility issues and ensures a smooth migration.

We also tried to cover, few of
the common migration issues and possible solutions.

Here is the link to ColdFusion 11 Migration Guide and don’t
forget to visit the “Help and tutorials” section inside the guide.

We are open for your suggestions
and feedback.

ColdFusion 11 Update 6 and ColdFusion 10 Update 17 now available

The following ColdFusion updates are now available for download. These updates address a common XXE vulnerability in BlazeDS. For details refer the security bulletin hyperlinks in the sections below.

Users who are using LCDS with ColdFusion, should refer this technote, for updating their LCDS installation.

ColdFusion 11 Update 6

This Update addresses a vulnerability mentioned in the security bulletin APSB15-21. This update is cumulative and includes fixes from previous ColdFusion 11 updates.

For details, refer this technote.

ColdFusion 10 Update 17

This Update addresses a vulnerability mentioned in the security bulletin APSB15-21. This update is cumulative and includes fixes from previous ColdFusion 10 updates. 

For details, refer this technote.

Changes in Filter Methods

There has been a
recent change in the way callback functions of the various filter functions
work. Earlier, the callback functions used to take only one element at a time.
Following were the syntaxes for the 3 most commonly used filter functions.

ArrayFilter - arrayFilter(array,function(arrayElement){return true|false;});
ListFilter - listFilter(list,function(listElement){return true|false;});
StructFilter - structFilter(struct,function(key, value){return true|false;});

 

As we can see, for
all of these filters, the callback function has access to only one item at a
time. Effectively this means that, all the filters that can be applied have to be independent of all the other elements of the array/list/struct.
This was done keeping in mind that, for filtering an array/list/struct, we can
access the structure element by element and apply the common test on each of
them and thereby return true/false depending on the passing/failure of the element
in the conditions written in the callback function.

 

 But, this limits the functionality of the
filter function to a great extent. There can be a lot of real life scenarios,
where the filtering of one element has clear dependency on one or more of the
other elements of the array/list/struct. For example, suppose we want to filter
out all the elements of a list that are greater than the first element.
Previously, this was not possible.

 

Thus, we brought a
change in the design of the filter functions. Now, the callback functions of
all the three filters have access to the entire array/list/struct apart from
the current element. This enhances the power of filters to a great extent. Much
more sophisticated filters can be written for each of them especially for the
cases which have dependency on other element(s) apart from the current element.
For example, we can now easily write filters such as: Filter out all the
elements of the list which are greater than the next element.

 

The updated syntaxes
of filters are:

ArrayFilter - arrayFilter(array,function(arrayElement, [,index, array]){return true|false;});
ListFilter - listFilter(list,function(listElement, [,index, list, delimiter, includeEmptyFields]){return true|false;});
StructFilter - structFilter(struct,function(key, value, [, struct]){return true|false;});

Edit: This change has gone out in ColdFusion11-Update5. Thanks to @Charlie and @Adam for bringing it up.

getHeaders – a new attribute in the cfexchangemail tag

With ColdFusion 11 Update 3, we have introduced a new parameter called “getHeaders”, in the “cfExchangeMail” tag. It accepts a boolean value. When set to true, cfExchangeMail returns a query with an additional “InternetHeader” column. This column contains a struct containing key-value pairs of the email-headers associated with each message.

Email message headers provide technical details about the message, such as who sent it, the software used to compose it, the version of the MIME protocol used by the sender etc. 

On Exchange 2010, the fields that are returned are: CC, Content-Transfer-Encoding, Content-Type, Date, From, MIME-Version, Message-ID, Received, Return-Path, Subject, To, X-MS-Exchange-Organization-AuthAs, X-MS-Exchange-Organization-AuthSource, X-Mailer.

You may reference this weblink for the detailed list of the fields and their description.

You can put this new feature to any good use that suites your purpose. I will dwell on one such use case below.

In MS Exchange 2010 and later, the “ToId” column in the retrieved messages query contains the primary email address of the sender. A primary email address can have multiple aliases. If you need to retrieve the email-alias the message was sent to, you can make use of this new attribute.

Here’s an example that demonstrates the usage the tag in the context of the use case discussed above:

<cfmail from=”#frm_usr_email#” to=”#to_usr_alias#” cc=”#cc_usr_alias#” subject=”#msg_sub#”  server= “#exchangeServerIP#” port = “25”>

———– testing mail to an alias address ————

</cfmail>

<cfset sleep(5000)>

<cfexchangeConnection action=”open” username =”#to_usr#” password=”#password#” server=”#exchangeServerIP#” serverversion=”#version#” protocol=”#protocol#” connection=”excon”>

<cfexchangemail action=”get” name=”usr_msgs” connection=”excon” getheaders=true folder=”Inbox”>

<cfexchangefilter name=”fromID” value=’#frm_usr#’>

<cfexchangefilter name=”subject” value=”#msg_sub#”>

</cfexchangemail>

<cfif usr_msgs.recordcount GTE 1>

info from cfexchangemail fields:<br>

<cfloop query=”usr_msgs”>

<cfoutput>

#usr_msgs.subject#<br> 

#usr_msgs.CC#<br> 

#usr_msgs.fromId#<br>

</cfoutput>

</cfloop>

info from cfexchangemail.internetHeaders fields:<br>

<cfloop query=”usr_msgs”>

<cfoutput>

#ReplaceList(usr_msgs.internetHeaders[“from”][1], “>,<“, “,”, “,”, “,”)#<br>

#ReplaceList(usr_msgs.internetHeaders[“to”][1], “>,<“, “,”, “,”, “,”)#<br>

#ReplaceList(usr_msgs.internetHeaders[“cc”][1], “>,<“, “,”, “,”, “,”)#<br>

</cfoutput>

</cfloop>

</cfif>

 

You can reference the bugbase, for the enhancement request originally logged for this feature.

Taking Thread Dumps from ColdFusion Server Programmatically

Many times you would want to tweak the performance of the ColdFusion server or want to debug the bottlenecks that make the server unresponsive.

To analyze this, ideally you would want to have Thead dumps and Server memory snapshot(Heap Space, Eden Space, Survivor Space, Old Gen, Perm Gen).

While you can use JDK tools like jstack to get the dumps, it is tedious to install it and schedule the thread dumps.

So, programmatically thread dumps and memory snapshots are are triggered and can be configured as a scheduler task and can be triggered on-demand as well.

Download the following zip file and move it to the server where you want to take thread dumps.

 

threaddump.zip

This zip file contains two files. One is threaddump.jar file.

Place this file under: C:ColdFusion11cfusionwwwrootWEB-INFlib and restart the server for it to load.

And the other file is the cfm file takethreaddump.cfm where the call to ThreadDump class is made and the path where the dump content should be written.

By default it is dumped to the file #GetTempDirectory()#/threaddump<Day>-<Month>-<Year>.log

(Depending on the server location it translates similar to C:ColdFusion11cfusionruntimeworkCatalinalocalhosttmpthreaddump12-8-2015.log)

You can change this to any other convenient path in the cfm file.

You can call this cfm on-demand at point of time or configure a new scheduled task to schedule it at some interval.

More number of Thread dumps are more helpful for problem analysis. So, it is better to take at some interval.

On every new day, dump is rotated automatically to a new file name.