ColdFusion 2016 Update 4, ColdFusion 11 Update 12 and ColdFusion 10 Update 23 released

This post is to announce the release of the following ColdFusion updates:

ColdFusion 2016 Update 4

ColdFusion 2016 Update 4 upgrades Tomcat to version 8.5.11.0 and fixes 115 bugs (including 52 external bugs) in areas such as Security, Language, Charting and Performance. This update also addresses vulnerabilities mentioned in the security bulletin APSB17-14.  For details and instructions on how to apply this update refer this technote.

ColdFusion 11 Update 12

ColdFusion 11 Update 12 upgrades Tomcat to version 7.0.75. It also addresses vulnerabilities mentioned in the security bulletin APSB17-14 and fixes 59 bugs (including 28 external bugs) related to areas such as AJAX, Charting and Language. For details and instructions on how to apply this update refer this technote.

ColdFusion 10 Update 23

ColdFusion 10 Update 23 upgrades Tomcat version to 7.0.75. This update addresses vulnerabilities mentioned in the security bulletin APSB17-14 and includes a total of 17 bug fixes (including 7 external bugs) related to Language, Charting, Scheduler, Document Management and certain other areas. For details and instructions on how to apply this update refer this technote.

The build number after applying thse updates should be:

2106,0,4,302561 for ColdFusion 2016;
11,0,12,302575 for ColdFusion 11.
10,0,23,302580 for ColdFusion 10.

Note:

  • Support for Windows Server 2016 will be introduced with the refreshed full ColdFusion 2016 server installer which will be made available shortly. Update: The new installer is now available, as of Apr 28.
  • The core support for ColdFusion 10 effectively ends on May 16, 2017. It will, therefore, receive no further updates. For detailed support timelines, see this EOL matrix.

 

 

ColdFusion 11 Update 7 is available for early access

Update: Since this post was made, the final version of Update 7 was released and should be used instead.

 

ColdFusion 11 Update 7 early access build is now available for your testing and feedback. It includes support for Tomcat 7.0.64, Windnws 10 and Mac 10.11 along with several bug fixes.

Please note that this is a test build and should not be used in a production environment.

Refer this document for the list of bugs fixed in this update.

Follow the steps below to apply this update.

  1. Navigate to ColdFusion Administrator -> Server Updates -> Updates.
  2. Under Settings tab, check "Automatically Check for Updates" check box
  3. Change the Site URL to https://cfdownload.adobe.com/pub/adobe/coldfusion/PR/updates.xml. 
  4. Click Submit to save your changes.
  5. Under the "Available Updates" tab, click on the “Check for Updates” button.
  6. "ColdFusion 11 Update 7(PreRelease)" should be listed under the "Available updates" tab. 
  7. Click on the "Download and Install" button to install the update.
To apply this update manually, click on this link to download the update jar. To run the downloaded jar, execute the following command:
java -jar <jar-file-dir>/hotfix_007.jar
You should use the JRE used by CF for running the update jar (for standlaone CF, it should be <cf_root>/jre/bin)
MD5: 2248f3a1401fe658b40743102c5d5999
For further details on the manual application of the updater follow this help article.
 
The build number after applying this update should be 11,0,07,296112(PreRelease).

In case, you have configured local site for receiving the update notifications, then please take back up of the URL before changing it to the prerelease URL.

We will look forward to your valuable feedback and suggestions.
 

ColdFusion 10 Update 18 is available for early access

Update: Since this post was made, the final version of Update 18 was released and should be used instead.

 

ColdFusion 10 Update 18 early access build is now available for your testing and feedback. It includes support for Tomcat 7.0.64, Windnws 10 and Mac 10.11 along with several bug fixes.

Please note that this is a test build and should not be used in a production environment.

Refer this document for the list of bugs fixed in this update.

Follow the steps below to apply this update.

  1. Navigate to ColdFusion Administrator -> Server Updates -> Updates.
  2. Under Settings tab, check “Automatically Check for Updates” check box
  3. Change the Site URL to https://cfdownload.adobe.com/pub/adobe/coldfusion/PR/updates.xml. 
  4. Click Submit to save your changes.
  5. Under the “Available Updates” tab, click on the “Check for Updates” button.
  6. “ColdFusion 10 Update 18(PreRelease)” should be listed under the “Available updates” tab. 
  7. Click on the “Download and Install” button to install the update.
To apply this update manually, click on this link to download the update jar. To run the downloaded jar, execute the following command:
java -jar <jar-file-dir>/hotfix_018.jar
You should use the JRE used by CF for running the update jar (for standlaone CF, it should be <cf_root>/jre/bin)
MD5: 412eb868a290cd635bed305f5658a0eb
For further details on the manual application of the updater follow this help article.
The build number after applying this update should be 10,0,18,296093(PreRelease).

In case, you have configured local site for receiving the update notifications, then please take back up of the URL before changing it to the prerelease URL.

We will look forward to your valuable feedback and suggestions.

How to enable/disable Tomcat Access logs (logging of each ColdFusion request)

Sometimes, depending on your need, you may want to enable or disable the tomcat access logs, which track every request to ColdFusion. In CF10, these logs were enabled by default. In CF11, they are disabled by default. This post shows how to enable or disable them.

This can be simply done changing a setting a in <ColdFusion_Home>cfusionruntimeconfserver.xml file.

At the end of this xml file you may find the following commented tag.

<!–

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" 

               prefix="localhost_access_log." suffix=".txt"

               pattern="%h %l %u %t &quot;%r&quot; %s %b" resolveHosts="false"/>

–>

To enable the logging, uncomment this tag as follows, and restart the server for the changes to be effective.

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" 

               prefix="localhost_access_log." suffix=".txt"

               pattern="%h %l %u %t &quot;%r&quot; %s %b" resolveHosts="false"/>

If access logging is enabled, the logs are stored in {ColdFusion Root}cfusionruntimelogs.

Note that you can modify the attributes, such as the log filename (via the prefix attribute) and what is logged, via the pattern attribute. For more information on these and other attributes, and on Tomcat access logging in general, see https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Access_Logging

Be aware that this feature logs EVERY request made to ColdFusion, and so these logs can grow quite large.

To disable the Tomcat access logs, sinply comment out the tag above (using 2 dashes for XML, rather than  CFML), and restart CF for that change to take effect.

Setting up ColdFusion in distributed envionment

You might want to set up ColdFusion in a distributed environment where ColdFusion is running on one machine and Web server is running on a different machine.

Following are the set of steps that have to be performed to achieve this (less error-prone):

This applies to both ColdFusion 10 and ColdFusion 11.

1) Have ColdFusion server installed in a machine.

2) Next thing is to download and install VC Runtime.

             – The version of VC Runtime that you have to install depends on the version of ColdFusion.

                Say, ColdFusion 11 needs VC Runtime 2012

                 (32-bit VC Runtime for 32-bit Web server and 64-bit VC Runtime for 64-bit Web server.

                  If you are not sure, you can install both)

                 (https://www.microsoft.com/en-in/download/details.aspx?id=30679)

                and ColdFusion 10 needs VC Runtime 2010

 

3) Copy the following contents from the machine where ColdFusion is running to the machine where Web server is running at the same location.

 C:ColdFusion11jre

 C:ColdFusion11runtimelibwsconfig.jar

 C:ColdFusion11runtimeconfserver.xml

C:ColdFusion11configinstances.xml

C:ColdFusion11configcluster.xml

 

4) Open a Command prompt and run wsconfig tool

   C:ColdFusion11>jrebinjava -jar cfusionruntimelibwsconfig.jar

    It will open a configuration window where you have to provide AppServer Host as the ColdFusion Server IP.

    Configure the connector.

Distributed environment is ready for use. Send requests to the Web server's URL with cfm files under web server root and same files under ColdFusion's Web root.

Web server would redirect these to ColdFusion, which is on some other machine.

 

 

New CHFs for CF 9 and CF 9.0.1

We now have new CHFs available for ColdFusion 9 and ColdFusion 9.0.1. This CHFs will address the issues that were present in the previous CHFs. We recomend that you apply this update to your ColdFusion 9 and ColdFusion 9.0.1 installations.

Here are the links to the related techotes for CF 9 and CF 9.0.1.

For ColdFusion 10 and ColdFusion 9.0.2 the updates have been refreshed to fix an issue with the Google Map API and the related technotes can be found here : 9.0.210

 

ColdFusion 10 Server Lockdown Guide

The server lockdown guide for ColdFusion 10 is now available on the Adobe website. The ColdFusion 10 Server Lockdown Guide will help server administrators secure their ColdFusion 10 installations. You will also find several tips and suggestions intended to improve the security of your ColdFusion server. 

You can access the lockdown guide here.

ColdFusion 10 update 5 – security update – now available

The ColdFusion 10 Update 5 is now available for install within your administrator. Update 5 is a security update that resolves a vulnerability affecting ColdFusion on Windows Internet Information Services (IIS), which could result in a Denial of Service condition. Adobe recommends users update their product installation.

Refer the security bulletin for all the details associated.