ColdFusion (2021 release) Update 17
Security recommendations
For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.
Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2021 release) updates.
What's new and changed
ColdFusion (2021 release) Update 17 (release date, October 14, 2024) includes bug fixes and enhancements in Administrator, Language, CFSetup, Database, and other areas. The update contains library upgrades, such as netty, ehcache, and so on.
Review the known issues before proceeding with the update.
After applying the update, we recommend clearing the Felix cache as a workaround for installing the HTMLToPDF package and verifying the Oracle data source.
Whitespace management on all deployments
Efficient whitespace management reduces the file size of the pages that ColdFusion returns to the browser by removing many extra spaces, tabs, and carriage returns that ColdFusion might otherwise persist from the CFML source file.
You can enable or disable whitespaces in ColdFusion from the ColdFusion Administrator (Server Settings > Settings).
What is changing
In this release, ColdFusion allows whitespace management on all deployments. For example, you can allow whitespaces on JEE deployments using the Administrator or Admin APIs.
Using the ColdFusion Administrator
-
Launch ColdFusion Administrator.
-
Select Server Settings > Settings.
-
Select the checkbox Enable Whitespace Management.
Using the Admin API
In the CFIDE.adminapi.runtime class, specify the propertyName as Whitespace in the setRuntimeProperty method.
For example,
cfscript>
// Login is always required. This example uses two lines of code.
adminObj = createObject("component","cfide.adminapi.administrator");
adminObj.login("password"); //CF admin password.
// Instantiate the runtime object.
myObj = createObject("component","CFIDE.adminapi.runtime");
// set whitespace
myObj.setRuntimeProperty("whitespace",true)
// retrieve the property
saveWhitespacesEnabled = myObj.getRuntimeProperty("whitespace")
writeOutput("Is whitespace management enabled: " & saveWhitespacesEnabled & "<br>")
</cfscript>
|
Registry |
|
|
JDBC |
|
|
Cookie |
|
Commands
Show
- show category - This command displays clientvariable as a category.
- show clientvariable - This command displays all settings of clientvariable
- show clientvariable cookie - This command displays all the details of a specific clientstore.
- show clientvariable nonexistentclientstore - This displays an error message.
Help
- help clientvariable - This command should show all the settings available for the category.
- help set clientvariable
- help get clientvariable
- help add clientvariable
- help delete clientvariable
- help export clientvariable
- help import clientvariable
Get
- get clientvariable clientstore
- get clientvariable purgeintervalinminutes
- get clientvariable cookie
- get clientvariable cookie name
- get clientvariable cookie purgeDataUnvisitedForDays
- get clientvariable cookie description
Set
- set clientvariable clientstore=none
- set clientvariable clientstore=cookie
- set clientvariable clientstore=cfartgallery
- set clientvariable purgeintervalinminutes=92
- set clientvariable cookie purgeDataUnvisitedForDays=90 disableGlobalClientVariableUpdates=true description="Test description"
- set clientvariable cookie purgeDataUnvisitedForDays=90 disableGlobalClientVariableUpdates=Yes description="Test description"
Add
- add clientvariable name=cfartgallery description="JDBC-based client store." purgeDataUnvisitedForDays=91 disableGlobalClientVariableUpdates=false
Delete
- delete clientvariable cfartgallery
Export
- export clientvariable test.json
Import
- import clientvariable test.json
| OEM | Previous version | New version |
| ehcache | 2.10.3 | 2.10.92 |
| netty | 3.9.9 | 4.1.89, 4.1.109 |
| postgresql | 42.2.14 | 42.7.3 |
| quartz | 2.2.1 | 2.4.0 |
solr war View Upgrade SOLR to mitigate security risks in ColdFusion for upgrading SOLR. |
8.11.2 | 8.11.3 |
| xalan | 2.7.1 | 2.7.3 |
| cxf | 4.0.1 | 4.0.5 |
The jars were older, outdated, and vulnerable versions that had already been updated in earlier releases, so they were deleted.
| Bug ID | Description | Component |
|---|---|---|
| CF-4222080 |
You're unable to create or modify scheduled tasks on Firefox. | Administrator |
| CF-4211503 |
When uploaded as the first field in a form, certain images prevent any subsequent form fields from appearing on a POST request. |
CFForm |
| CF-4216637 |
Unable to resize an image using the CFImage tag. | CFImage |
| CF-4222881 |
Unable to upload a file from a RAM drive to an S3 bucket. | Cloud service |
| CF-4220122 |
The number of system threads grows with each cfsearch test page load. |
ColdFusion Packages |
| CF-4219563 |
The purgecache command works only within the cfpm Command Line Interface. The command does not run as expected when using cfpm purgecache. | ColdFusion Packages |
| CF-4223452 |
You cannot install multiple packages using the cfpm install command in the batch mode. However, you can do so using the cfpm Command Line Interface. For example, after running the following command, packages are installed: C:\ColdFusion2021\cfusion\bin\cfpm install document, htmltopdf But, the following command does not install the packages: C:\ColdFusion2021\cfusion\bin\cfpm install document, htmltopdf |
ColdFusion Packages |
Incorrect function name is reported in exception from using the wrong named parameter to a setter function. |
Core Runtime |
|
In spreadsheets, whitespace management is not available on JEE installations. |
Core Runtime |
|
| CF-4220502 |
Components containing properties of type array return NullPointerException when compiling, if getter is used with array syntax within ternary true statement section. |
Core Runtime |
| CF-4204716 |
For some scheduled tasks, the cfquery tag fails inside a scheduled task with a null message and a null cause. |
Database |
Attempting to sort QoQ by date column results in Java Timestamp Error. |
Database |
|
|
|
After updating Oracle Server v19.23 to v19.24 and verifying the connection in Datasources in ColdFusion Administrator, the following error message displays: Connection verification failed for data source: DATASOURCE_A java.sql.SQLException: [DataDirect][Oracle JDBC Driver]arraycopy: destination index -1 out of bounds for byte[128] See the community post for more information. |
Database
|
| CF-4223940 |
The Oracle Data Source verification failed after the latest update. To resolve this issue, clear the Felix cache and restart ColdFusion. |
Database |
| CF-4220030 |
Sometimes, attempting to execute a query results in a JDBC exception. |
Database |
| CF-4222036 |
Reading a zeroDateTime from mysql as a TimeStamp will now result in an error saying that java.sql.SQLException zeroDate is prohibited. |
Database |
|
|
Unable to populate an image field in a PDF Form. |
Document Management |
|
|
When the installed Java version is greater than 11.0.18, the PDF Service manager does not register as expected. The following error message appears:
"Error","Thread-39","03/15/23","10:55:55","","Registration error for service manager : .http://127.0.0.1:8993/PDFgServlet/.Reason: SERVER ERROR". |
Document Management
|
|
|
cfsetup does not show or export CF Admin client variable settings.
|
Installation/Config
|
|
|
The equal operator (eq) does not work as expected.
|
Language
|
|
|
In a query, the indexOf function returns -1 as index for any position other than the first one.
|
Language
|
|
|
Struct keys that contain closures do not maintain case.
|
Language
|
|
|
Unable to compare a null variable with an identity operator ===. As a workaround, use the equality operator ==.
|
Language
|
|
|
When an array literal is passed to a function called within the conditional statement of a cfelseif tag that contains a locally scoped variable as one or more of the items in the array, an exception displays.
|
Language
|
|
|
ColdFusion supports generate3DesKey function, but it's not documented or in getfunctionlist().
|
Language
|
|
|
You're unable to call static methods from an abstract class.
|
Language
|
| CF-4222022 |
Dumping a structure with multiple CFCs causes methods from the higher-order CFC to propagate to the lower-order CFC. |
Language |
| CF-4222005 |
While structure keys with chaining, if there is a function, ColdFusion produces an exception. |
Language |
| CF-4219723 |
After applying update 11, the toArray function does not work as expected. |
Language |
|
|
cfstat.bat -x produces a Null Pointer Exception.
|
Logging
|
|
|
Allow file actions in the Debugging & Logging - Log files page in ColdFusion Administrator.
|
Logging
|
| CF-4219897 |
After applying the update, coldfusion-out.log doesn’t update as expected. View the community post for more information. |
Logging |
|
|
ColdFusion is unable to handle sFTP connections using newer OpenSSH key algorithms like Ed25519. As a workaround, add the following JVM flags:
|
Net Protocols
|
| CF-4216277 |
The cfpm scan command (naming a [path] and a [serverurl]) produces an error. Error: CODEBASEPATH [path] not found This is even when the path exists. |
Packages |
| CF-4219459 |
Unable to register Rest service when using Application.cfm. |
REST services |
|
|
cfreport doesn’t work as expected. The following error message appears: Error at line 4 char 326: net.sf.jasperreports.engine.xml.JasperDesignFactory If the issue still occurs intermittently, Clear the Felix cache and restart ColdFusion. |
Reporting
|
| CF-4220241 |
After enabling Sandbox and using <cfimage> tag with action="write" and file output= "jpg" causes ColdFusion to behave unexpectedly. |
Sandbox |
|
|
The initSAMLAuthRequest function causes intermittent Null Pointer Exceptions.
|
Security
|
| CF-4223921 |
Attempting to index Open Document Format files (for example, .odt extension) produces an exception. |
Search |
| CF-4222210 |
After restarting add-ons on Unix, Solr collections do not appear in the Admin UI. As a workaround, manually update the cfjetty file, hardcode the solr.home value to the updated one, and restart jetty. |
Search |
Known issues
- The PDF Services page in ColdFusion Administrator does not load even with the HTMLToPDF package installed. As a workaround, clear the Felix cache (<cf_home>/cfusion/bin/felix-cache).
- The Oracle DataSource verification fails after installing the latest update. As a workaround, clear the Felix cache, and restart ColdFusion.
- An exception occurs when indexing Open Document Format files, such as those with a .odt extension.
ColdFusion JDK flag requirements
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
Prerequisites
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
Installation
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated with the latest update.
All installed packages that needs an update get updated.
Restart ColdFusion for the changes to take effect.
Install the update in offline mode manually
- Download the hotfix installer from the link.
- Download the packages zip file from this link and extract its contents to a location accessible to all ColdFusion server instances.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-017-330334.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-017-330334.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account with permission to restart ColdFusion services and other configured webservers.
For further details on manually updating the application, see the help article.
If you are on Java 11.0.20 or higher and want to apply the Hotfix, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar.
However, if you are applying the update from the Administrator, you do not require any flag.
Post installation
After applying this update, the ColdFusion build number should be 2021.0.17.330334.
Uninstallation
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00017-330334/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00017-330334}/backup directory to {cf_install_home}/{instance_name}/
Connector configuration
| 2021 Update | Connector recreation required |
| Update 17 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 16 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 15 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 14 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 13 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 12 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 11 | Yes |
| Update 10 | No |
| Update 9 | No |
| Update 8 | No |
| Update 7 | No |
| Update 6 | No |
| Update 5 | No |
| Update 4 | No |
| Update 3 | No. You need not upgrade the connector if you have already upgraded the connector in Update 2. |
| Update 2 | Yes |
| Update 1 | Yes |