Security fix for ColdFusion Builder 3 released

An important security fix for ColdFusion Builder 3 is now available for download. For more information on the vulnerability refer APSB16-44.

You can download the patch from here (md5 checksum : b67914e27ca4fb8e0fc5ecd354e9a330). Apply this patch to secure your ColdFusion Server and Builder installation. Follow the installation instructions detailed at this technote

ColdFusion Builder (2016 release) Update 3 prerelease available

ColdFusion Builder (release 2016) Update 3 prerelease build is available for your testing and feedback. This update includes the following changes :

  • 25 bug fixes including an important security fix and some Security Analyzer fixes.
  • PhoneGap has been upgraded from version 5.2.0 to version 6.0.0.
  • Dictionary (Code Assist) changes to accomodate the changes/enhancements in ColdFusion Server Update3. For details on what is new in ColdFusion Server Update 3, refer this blog post.

For instructions on how to apply this update and details on what is new with this udpate refer this document. For the list bugs fixes and the known issue(s) with this update, refer this document. 

After applying this update, the ColdFusion Builder build number should change to

Updates for ColdFusion 2016, ColdFusion Builder 2016, ColdFusion 11 and ColdFusion 10 released

This article announces the release of updates for ColdFusion 2016, ColdFusion Builder 2016, ColdFusion 11 and ColdFusion 10.

These updates address a common vulnerability mentioned in security bulletin APSB16-22.

ColdFusion 2016 Update 2

ColdFusion 2016 Update 2 fixes an important security issue. It also includes some other important fixes related to Language, Security Analyzer, AJAX, document management, SharePoint, CLI, API Manager and a few other areas.

For details, refer this technote.

ColdFusion Builder 2016 Update 2

ColdFusion Builder 2016 Update 2 (standalone) has been upgraded from Kepler to Mars. It includes important updates to Security Analyzer, a few bug fixes related to performance and other bug fixes. PhoneGap has been upgraded to 5.2.

For details, refer this technote.

ColdFusion 11 Update 9

ColdFusion 11 Update 9 fixes an important vulnerability mentioned in the security bulletin APSB16-22. It also includes a few other fixes.

For details, refer this technote.

ColdFusion 10 Update 20

ColdFusion 10 Update 20 fixes an important vulnerability mentioned in the security bulletin APSB16-22. It also includes a few other fixes

For details, refer this technote.


ColdFusion 2016 and ColdFusion Builder 2016 Update 2 are available for early access

ColdFusion 2016 and ColdFusion Builder 2016 Update 2 early access builds are now available for your testing and feedback.

Note: The early access builds mentioned here have now been released in final form. So do not use the prerelease files or info below, but rather see the later blog post:

Note that this is a test build and should not be used in a production environment.

ColdFusion 2016 Server

Change the update URL in ColdFusion Administrator -> Server Updates -> Updates -> Settings to the following:

Refer this document for issues fixed.

Here are the install instructions for Server.

The build number after applying this update for ColdFusion 2016 should be 2016.0.02.299076

ColdFusion Builder 2016

Refer this document for issues fixed.

Here are the install instructions for Builder

Standalone installation:

Change the update URL in ColdFusion Builder -> Help -> Install New Software -> Add -> Enter this URL in the location field:

For Windows/Linux –

For OS X –

Plugin installation:

Change the update URL in Elicpse 4.5.2 or above -> Help -> Install New Software -> Add -> Enter this URL in the location field:

What’s new in this Update

ColdFusion 2016 Update 2 :

  • Struct Serialization and Array Serialization :

For a struct, there isn’t a way to derive the data type info correctly and hence even today we see serialization issue where a "lastname" is being serialized as Boolean Bug #3337394.

We are providing an API on the Struct class to add metadata information to that struct object. This function will take a struct object wherein the key will be the actual key of the struct and value will be the data type of the value corresponding to that key. For example,

mystruct = StructNew() ;

mystruct.setMetadata({"lastname": "String", "age": "number"}) ;

structsetmetadata(simple,{"value":"boolean","firstname":"string", "currency": { "type": "numeric","name": "usd"}});

writedump (#mystruct.getMetadata()#); //returns: {ordered="insertion|unordered", keys={lastname="string", age="number"}}

For Array also we can set the metadata using setmetadata & getmetadata methods. Array metadata should contain the key “items” in the metadata which specifies the type of the array members.


writedump (#myArray.getMetadata()#); //returns: {"type":"synchronized", items="string"}

Application level support

Other than passing the type info at struct level, you can also define the at application level, like

this.serialization.structmetadata = {zipcode="String"};

If defined as above, you don’t need to define the data type for zipcode for all the struct which contains this key. At run-time, if the metadata of the struct is not passed at struct level but is defined at application level then we will resolve the struct value appropriately as per application metadata info. But if defined at struct, then the defined type at struct level will take priority over the application one.

  • Configure SSL– Access API Manager portals over HTTPS for better encryption and security
  • CAR settings migration– After deploying a CAR file, some settings are not migrated. You can view the list in the Archive Summary page (under the section Settings Never Migrated) while creating CAR as well as during deploying the CAR.
  • New member functions – ArrayDeleteNoCase, YesNoFormat, and BooleanFormat
  • CKEditor – FCK Editor has been deprecated. You can now customize and design text areas in a form using CK Editor in the cftextarea tag.
  • NTLM changes – The ntlmDomain attribute is required if a user is part of a domain. When the user is not part of a domain, the ntlmDomain attribute is optional.
  • Other bug fixes – API Manager, PDF, language, etc.


ColdFusion Builder 2016 Update 2

• Security Analyzer – You can view partial scan results after canceling a scan. Search for a file using the filename in Unscanned Files.

• PhoneGap – PhoneGap is upgraded to version 5.2.

• Other bug fixes – Performance, editor, Security Analyzer, etc.

We will look forward to your valuable feedback and suggestions.

Update released for ColdFusion Builder 3

Update 3 for ColdFusion Builder 3 is released.

This update is
primarily a companion update to ColdFusion 11 Update 3 which ahs added support for
PhoneGap 3.5.




/* Style Definitions */
{mso-style-name:”Table Normal”;
mso-padding-alt:0in 5.4pt 0in 5.4pt;

This is just an Update for the ColdFusion Builder 3
installation that were installed prior to the build number 292483.
Corresponding full installers with this update embedded were already released
in December. Automatic update notification takes care of notifying you, if this
update applies to your installation or not. So, if your installation is the one
that was released in December, this update is not applicable and won’t show you
the notification. 

This update has the following 3 bug fixes.  






Remote servers details not retained on Builder restart.


Server Manager


Exception when generating build for mobile project


Mobile Support


PhoneGap version for Mobile project should be updated to

Mobile Support

Through ColdFusion Builder 3, you would get an automatic notification to apply the Update.


In the month of August 2014, we had
refreshed the update 2 just fixing the bugs arised out of Update 2. Ram has blogged
it as Update 3 mistakenly. It should have been blogged as Refreshed build for
Update 2. Our apologies for the confusion with regard to the update number. 





Setting up ColdFusion Builder 3 with a remote server

I wish everyone a very happy and prosperous new year. Here comes the first blog post for the year 2015, on ColdFusion Buider 3. A user came across our Mobile Application Development Contest blog and was trying to develop his application using ColdFusion Builder 3, but he wasn’t able to setup a connection between ColdFusion 11 and ColdFusion Builder 3.  He was trying to create a “Remote Server” connection between ColdFusion Builder 3 and ColdFusion 11, installed on separate servers (distributed setup). 

Here are the steps that will help you setup a remote host with ColdFusion Builder:-

1.     Launch ColdFusion Builder 3 and choose your workspace.

2.     Right-click on the “CF Servers” view and select Add Server

3.    Select “New server configuration” and click “OK”. You can choose “Import configurations from RDS server”, in case you have RDS server setup already and want to use existing server information.

CF Server

4.     If you can’t locate the CF Servers, then, follow the screenshot below, to enable it.

CF Server alternate

Refer to Add a remote server and fill in the details for your server.

5.     General Settings

a)     Server Name: ColdFusion server name.

b)     Description: (optional) Description of the server.

c)     Application Server: Select the drop-down list and select CF+ Tomcat Bundle (for CF10/CF11)

d)     Host Name: Name of the remote server host.

e)     Select: Is Remote.

Note: When you enter a Host Name other than localhost or, Is Remote is automatically selected.

f)     Webserver Port: Specify the port number of the remote ColdFusion server instance you are configuring. You can refer server.xml for the same at ColdFusion11cfusionruntimeconf.

g)     RDS User Name: (optional) if you are using RDS, specify the RDS user name.

h)      RDS Password: (optional) Specify the RDS password.

General Settings

Click Next to move to the next screen.

6.     Remote Server Settings

a)     User Name: Specify the CF Admin username.

b)     Password: Specify the CF Admin password.

Remote Server Settings

Click Next to move to the next screen.

7.     Install Extensions

Select Install Extensions to install the extensions that are packaged with ColdFusion Builder.

a)     Browse and select the ColdFusion web root location.

b)     Browse and select the ColdFusion web root location on the remote ColdFusion server.

c)     Browse to a location within the web root to install the extensions. The extensions are installed in the Extensions directory within the selected location.

Install Extensions

8.    Click Finish to add the remote ColdFusion server instance. You can right-click on the remote server and access the ColdFusion Administrator of the remote server.

Launch CF Admin

This blog post talks about, the minimal settings required to setup a remote server for CF Builder. You can skip the Install Extensions section as well.

Note: – While configuring the remote server in CF Builder, ensure that, you are able to access/ping the remote ColdFusion server outside builder. You can probably, access the remote CF Admin in the browser, for e.g. http://ip:port/CFIDE/Administrator/index.cfm and ensure connectivity.



Can I get an update? If you’re looking for ColdFusion Updaters…

Many of you are looking for a central location to find the full list of ColdFusion Updaters.  We try to keep these updated for the core supported versions with links to the latest released updaters.  These are a good place to look for the full list of updaters available on each version along with a download link to the .jar file. 


ColdFusion 11:


ColdFusion 10:


ColdFusion 9:



Additional updates for ColdFusion server and Builder:


ColdFusion Builder 3 automatic updates notification and installation

With ColdFusion Builder 3 we have implemented automatic updates feature to be in-line with Eclipse update mechanism.


In case of ColdFusion Builder 3 standalone installation:-

With this, if there is any update to ColdFusion Builder 3, you will receive a notification at the bottom right corner of Builder. You can click on that and install the updates.

With this mechanism only the changed plugins are pulled and installed on top of your Builder installation.

And this is always a cumulative update .i.e Latest update contains all the previous updates as well.

If you have just closed the notification without installing the update you can install by clicking on Help –> Check for Updates label.

In case of Plugin installation to Eclipse:-

Since the Eclipse is your own copy, you have to do a one-time setup to get notifications and install it.


Open “Window -> Preferences -> Install/Update” and configure the updater options as follows.

Click on “Automatic Updates” -> Select “Automatically find updates and notify me”

Click on “Enable Software Sites” -> Enable the site . This site is already listed. You just have to enable it.

Refer to the enclosed figures for these settings.

Once this is done on every next restart of Eclipse, updates availability is checked and notified at the bottom right corner.

By clicking on that notification message you can you can install the update.


Fig 1:Notification settings

Notification Settings


Fig 2: Update Site Sttings

Update Site

ColdFusion Builder 3 Mandatory Update Release


There is
a mandatory update released for ColdFusion Builder 3 that resolves the ‘Update
URL Issue’ that prevents your copy of ColdFusion Builder from downloading and
installing the updates from our server.


If you
have installed ColdFusion Builder 3 as a standalone application by using the
installer that you have downloaded between April 25 and May 25, you need to
apply this patch.

The build
number that was released on April 25th 2014  ->

The build
number that was released on May 25th 2014 -> (If you are on this build you don’t need to do anything. )

(You can
find it in the file:


You can
download the update  Here .
To apply the patch, follow the instructions provided in the bundled readme file.

Restart ColdFusion Builder for the fix to be reflected. You should see the ‘Update available’ message
at bottom right corner on re-launch.

If you
don’t want to apply this patch, you should uninstall and install the latest
build of ColdFusion Builder 3. 


Browser’ view which is available as part of the first update.


For Eclipse plugin installation you can enable/add the CF Builder repository site as follows to apply the updates:

Help->Install New Software -> Available Software Sites -> Add -> Name(Povide any name) -> Location (Provide as

Announcing the launch of ColdFusion 11 and ColdFusion Builder 3

are excited to announce that the next versions of ColdFusion Server and
ColdFusion Builder are now live and available

Thanks to everyone from the ColdFusion community who has
contributed to this release in terms of constant feedback and support. 

Here are some of the highlights of ColdFusion
11 and ColdFusion Builder 3:

Mobile Application Development Workflow

ColdFusion 11 along with ColdFusion Builder 3 gives you a unique
end-to-end workflow for mobile application development addressing the
challenges associated with building, testing, debugging and deploying
enterprise class mobile applications – both web based as well as installed
mobile apps.

Language Enhancements

While there are a range of enhancements made to the language, some of
the features that can be called out are full CFSCRIPT support, support for
Member Functions and JSON enhancements.

PDF Functionality

ColdFusion 11 now leverages a new engine for HTML to PDF
conversion that does an almost perfect job of converting most HTML/CSS to its
corresponding PDFs pixel-to-pixel. Along with the new engine, CFPDF has additional
functionality to support digital signatures and archiving PDFs. 


ColdFusion 11 has a built-in mechanism to prevent access
of Administrator or its components from external access. ColdFusion 11 has
additional built-in functions to prevent XSS, thus allowing  concurrent logins through CFLOGIN. ColdFusion
also supports mail encryption through CFMAIL.

For a more detailed overview of what’s new in ColdFusion 11, take a
look at this
from the documentation.

ColdFusion Builder 3 bundled with ColdFusion 11

11 Standard and ColdFusion 11 Enterprise is bundled with copy (ies) of
ColdFusion Builder 3. With one copy of ColdFusion Standard, you get one license
of ColdFusion Builder 3 and with one copy of ColdFusion Enterprise, you get
three copies of ColdFusion Builder 3.

Java 7 Update 55

you may be
aware, Java has come up with an update
(Java 7 Update 55) with critical security fixes. This update was released on 15th of April. ColdFusion 11, ColdFusion 10 and ColdFusion 9 have already been
certified on Java 7 Update 55.

ColdFusion 11, all attempts were made to include this update as part of the
final CF11 installers though this was very close to our launch date. We ran
into an issue with the installer with a third-party platform used by ColdFusion,
on Java 7 Update 55. We have escalated this issue with the vendor and are
working with them for a fix. For now, the Java version bundled with the final
installers of ColdFusion 11 is Java 7 Update 51.

we fully understand the importance of Java 7 Update 55 and want to assure the
ColdFusion community that we are committed to fixing this issue. We are also planning
to replace all the ColdFusion 11 installers to include Java 7 Update 55 as soon
as we are able to obtain a fix from the vendor.

as always you can use Java 7 Update 55 with ColdFusion 11, ColdFusion 10 and
ColdFusion 9 by pointing to an external Java location.

Linux support for the new PDF Engine

Linux support for the new PDF engine in ColdFusion 11 will be available through
an update within the next few weeks.

Availability of installers for CF10 and CFB 2.0.1

ColdFusion 10 installers and ColdFusion Builder 2.0.1 installers will
only be available for download on for a limited time – till the 14th
of May, 2014. If you need these installers for later use, then please download
them before the 14th of May, 2014.