ColdFusion

Hi All,I can't seem to figure this out, so any help would be appreciated.  Might be a bug with CF2021. I got 2 websites with cfapplication name AAA  & BBB  both under same domain, https, using www If I login through one app using SAML (one per app), I loose the sessions in the other app (new cftoken generated), and it doesn't happen everytime but it will happen after a few tests, or the 1st time after being idle for a few minutes......mydomain.com/AAA/saml1/response.cfm.....mydomain.com/BBB/saml2/response.cfm Also, if i'm just playing around and setting a session variable in the same child folders as the saml response, it won't loose the sessions of the other app.  It seems the saml round trip to microsoft azure causes the lost of sessions.  I tried with J2EE sessions on/off Any ideas how to remedy?      

We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes: ColdFusion (2025 release) Update 3 ColdFusion (2023 release) Update 15 ColdFusion (2021 release) Update 21   The updates include a newer version of Tomcat, important security fixes that mitigate vulnerabilities related to arbitrary file reads, code execution, privilege escalation, and security feature bypass.    View the security bulletin, APSB25-69, for more information.   Download the updates ColdFusion 2025 updates ColdFusion 2023 updates ColdFusion 2021 updates   What's new in the updates Tomcat upgrade New JVM flag Changes to remote methods OEM upgrades   Others Bug fixes Known issues   Docker and CFFiddle CFFiddle is updated with the changes. Docker images of the update are avaiable on Docker hub and Amazon ECR. Please download and apply t

Hello All, We have a collection of API calls that can successfully be called/run from several windows server instances of CF 2023.  A colleague on intel Mac CF 2018 and one on windows CF 2023 can also successfully call/run any of our API functionality.  On my local development instance of ColdFusion 2023 (ColdFusion 2023 MacBook Pro M2 macOS Sonoma) I consistently get the same error on every API call I try and leverage.Can not resolve PropertyFilter with id 'coldfusion.runtime.Struct'; no FilterProvider configuredI have been unable to make any headway on figuring out why i am the only one getting this error message. I am posting this discussion to hopefully find someone that may have some additional suggestions for me. I can share more examples of some of the code but thought I would start with the error message and the explanation that this is only happening to me as the underlying CF code is working in all other environments. Basic Code Same Error:<cf

Good morning, all. Been getting a flood of error emails generated from production.  Related to Apache POI, but something I have never heard of, before. com/zaxxer/sparsebits/SparseBitSet java.lang.NoClassDefFoundError I looked at the line number indicated in the error message.  Inside of a cfscript tag:...SpreadsheetMergeCells(variables.mySpreadsheet,1,1,1,6);... This is from a Cost Estimate form on our Public site. I've done some digging around, but can't find anything on SparseBitSet.  Or, not much, anyway.  I think I read somewhere that it's not an actual module, so I am guessing there's no package install that can fix this.  Please advise. WolfShade UPDATE:  This isn't affecting only the Cost Estimate form, it appears to also be affecting a Rates Lookup page that uses Excel files to query rates from one port to another.

 Getting the error for all rest services on a subset of our production servers: Cannot resolve PropertyFilter with id 'coldfusion.runtime.Struct'; no FilterProvider configured Appears to be the same error as:Solved: API Error: Can not resolve PropertyFilter with id ... - Adobe Product Community - 14335256 Which is marked Solved but does not seem to be solved.  Ticket that was created related to that post was closed by tech support and not resolved. Wierdly this only occurs on half of the 4 nodes in our cluster.  All servers share same configuration and same code base from shared NAS.  When I hit them directly I can see 2 consistantly return the error:And the other 2 nodes consistantly return expected JSON output. Of course when we hit them load balanced we effectively get random failures depending on what server I am sticky to. I confirmed there are no trailing slashes as called out in the article above: This has persisted thr

My connection to the local SQL Express fails.Connection verification failed for data source: allloginsjava.sql.SQLException: [Macromedia][SQLServer JDBC Driver]Kerberos Authentication is not supported by this SQLServer. The driver attempted Kerberos authentication because the AuthenticationMethod connect option was "auto" and no username/password was specified. It is registered in SSMS and a system DSN in ODBC Data Source Admin.It should connect using windows autth? Any Help much appreciated. See images.

Hello all,Others have noted the security issue with Solr and version 7.We don't need it on our servers, so I would like to uninstall, I am not sure yet if I can disable the add-on service cause I think the cfhtml2pdf tag might be used in our code.So if I can just uninstall SOLR then I would like to do that....but I have no idea which package in package manager I can uninstall.I have looked at them and none seem to relate to SOLR.So which one is it?

                We have been using CF for a long time. Yesterday we had a power cut and after a restart the following is happening (just a test page to identify issues): <cfquery datasource="#mydb#">                UPDATE iantest                set                test = 55                where id = 1                </cfquery>                               This Works - updates

I am observing an outbound connection initiated by the process coldfusion.exe over the SSH port. The destination IP is not flagged as malicious on VirusTotal. Could you please advise if this is a legitimate process behavior by coldfusion, or should I investigate this activity further?    

For excel files, we use Apache POI.  It worked fine until we applied the latest CF Security patch to our CF2023 server.  It must have updated POI to the latest version which deprecated some of the functions.  I was able to fix one issue, but am not able to see how I can create XSSFColor from RGB.  My previous code was:rgb=createObject("java","java.awt.Color").init(javacast("int",234),javacast("int",230),javacast("int",202)); createObject("java","org.apache.poi.xssf.usermodel.XSSFColor").init(rgb);This used to create a color from Red=234, Green=230, and Blue=202, but now it crashes because the init function needs more arguments. I need to now pass RGB in "Byte Array" such as: XSSFColor(byte[] rgb) . I am not sure how to make a byte array in coldfusion. I have tried this:javaCast("byte[]",        [            javaCast( "byte", 234),            javaCast( "byte", 230),  &

our security team wants us to implement Multi Factor Authentication using a token based system.  I located https://github.com/marcins/cf-google-authenticator which references CF10 and i was pleased becasue we still haven't been approved to move our app from CF 11 to a supported version but beyond serving as a sample has anybody got any idea how long it might take to implement either google authenticator OR another token based system. I'm being told that other 2FA methods are not approved (SMS, Email, etc) because they are not secure so they aren't options at this time. Any Advice, Recommendations, or realtime experience (it took us x long) would be appreciated.  I hope this wasn't too vague, i just don't want to put too much in the post.

Hi,I administrate a few ColdFusion 2023 servers on windows. I perform an off-line update whenever a new update comes out. I carry out these following steps:1) Download new hotfix and packages from Adobe Website2) copy these files into the Bundles directory of ColdFusion3) run the java -java hotfix_xxxx.jar4) the installation states it was "successful" but everytime there are packages that were removed and not reinstalled. These new packages files were definitely included in the bundles directory, but they were deleted during the update process5) My fix everytime is to re-copy these files back into the Bundles and install the packages manaually.Do anyone know how i can perform the update, without needing to re-copy certain package files back into the Bundles to complete the process?Thanks for any help you maybe able to provide! 🙂

Coldfusion cfgrid type= boolean checkbox column is not getting checked in a single click, requires user to click twice. Causing a bad user experience   Update: here is a running example of the issue, as offered by Charlie in the discussion below: https://www.carehart.org/test/test-cfgrid-10755642.cfm

I could not find discussion on this topic and I think it could be serious for some environments.On IIS cfm handler why there is no use of buffer ? the handlers are configured with responseBufferLimit="0". Is there any reason. It seems it could be a serious issue.

Good morning, all. I have code that has been in place for at least 6 or 7 years that generates Excel files.  Depending upon the app, the Excel file is either A) made available to the user via download, or B) emailed to a pre-determined email address, possibly CC'ing others, as well.  It has had no issues for all this time, and no changes to the code have been made. Recently, while creating a new section of a public-facing website, I copied and modified Excel generating code from one of these older sections, expecting it to work.  I've been having all kinds of issues, from files not being saved to the server, to simple strings added to a cell coming up as garbage.  Exceptions are being thrown.  So, I decided to check one of the earlier pages on the public site that creates Excel files, and lo and behold it's throwing an exception when it comes to creating the Excel file.  I have no idea how long this has been breaking, no one ever reported anythin

In ColdFusion 2021 update 20 (as well as cf2023 update 14 and cf2025 update 2), there was a change in access to remote CFC methods, requiring explicit cfarguments tags or defining them directly in the function signature.   The -Dcoldfusion.runtime.remotemethod.matchArguments flag set to false allows methods with remote access to continue working without restriction on argument matching.   Making all methods compatible with remote access in our programs will be quite complex and will require a long development and testing time on the systems. Since we seek the integrity of our methods by other means, set the flag to false solves our problem.   So I would like to know if this JVM flag will be deprecated in the future? If it is something permanent, we will set it to false and dispense with any rework with the compatibility of remote CFC methods.

Since updating to update 21 from update 20, opening Scheudle Tasks in cfadmin is erroing on some scheduled tasks that were created before update 21.  The impacted tasks can be edited and resaved which will clear the error.New scheduled tasks can be created and appear to be working as normal.  The error we're seeing for impacted tasks: Element ISVALIDPUBLISHPATH is undefined in TASK.The error occurred in scheduletasks.cfm: line 700Called from scheduletasks.cfm: line 568Called from scheduletasks.cfm: line 567Called from scheduletasks.cfm: line 564Called from scheduletasks.cfm: line 524Called from scheduletasks.cfm: line 482Called from scheduletasks.cfm: line 1

I got the infamous architecture mismatch trying to set up an ODBC Data Source from Cold Fusion(2011) to an AS400 data source(1st screentshot).Since it took me two days to track this one down I thought I'd pay it forward by showing you how I fixed it in the hopes of saving someone some time in the future.I tried many different fixes to match architectures thinking I had the 32 bit version of the ODBC driver vs the 64 bit version and vice versa. I have both, it didn't matter.The problem was in the Windows Registry, specifically the data source HAS TO HAVE the same name across 32 and 64 bit ODBC entries for it(2nd and 3rd screenshots). Stack Trace:Connection verification failed for data source: AS400java.sql.SQLException: [Macromedia][SequeLink JDBC Driver][ODBC Socket]internal error: The specified DSN contains an architecture mismatch between the Driver and ApplicationThe root cause was that: java.sql.SQLException: [Macromedia][SequeLink JDBC Driver][ODBC Socket]internal error: The

Hi Just wondering if anyone has any experience with implementing connection retry logic with Coldfusion and Azure sql, to handle transient connection failures. I have an application that is hosted on Azure with Azure SQL and there have been a few instances where the DB has failovered intermittently while a user was requesting a page, thus resulting in an error. Looking to see how I can minimize this impact and make it a seamless experience on the user's end when this occurs. I've looked at https://docs.microsoft.com/en-us/ef/ef6/fundamentals/connection-resiliency/retry-logic which is based on an EF6 library. Thanks!

I just updated CF 2023 from 6 to 15, and applicaton is not working with below error:any idea what's missing? Thanks.Variable HTTP_REFERER is undefinedcoldfusion.runtime.UndefinedVariableException: Variable HTTP_REFERER is undefined. at coldfusion.runtime.CfJspPage._get(CfJspPage.java:456) at coldfusion.runtime.CfJspPage._get(CfJspPage.java:411) at coldfusion.runtime.CfJspPage._get(CfJspPage.java:390) at coldfusion.runtime.CfJspPage._autoscalarize(CfJspPage.java:2364) <CFIF (ReFindNoCase("login/login.cfm",HTTP_REFERER) EQ 0 AND ReFindNoCase("login/login.cfm",SCRIPT_NAME) EQ 0 AND ReFindNoCase("login/action_login.cfm",SCRIPT_NAME) EQ 0)> <CFIF IsDefined("SESSION.LOGGEDIN") and SESSION.LOGGEDIN EQ "TRUE"> <CFELSE> 

We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes: ColdFusion (2025 release) Update 2 ColdFusion (2023 release) Update 14 ColdFusion (2021 release) Update 20   These updates resolve several critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution, and security feature bypass. View the security bulletin, APSB25-52, for more information.   Download the updates ColdFusion 2025 updates ColdFusion 2023 updates ColdFusion 2021 updates   What's new in the updates New JVM flags Changes to remote method Refreshed add-on installers Pathfilter changes   Others Bug fixes Known issues   Docker and cffiddle CFFiddle is updated. Docker images of the update are avaiable on Docker hub and Amazon ECR.   Please download and apply the updates and provide your feedback.

hi,  my CF 2023 enterprise license will expire on Nov. 1 2025, I am thinking not to renew because the application is schedule to move to other platform around Dec. 30 2025. Now the question is can my CF server keep up and running until Dec. 30 2025 with expired license? Thanks.David

Hi All,Hoping someone can provide some pointers to solve this.I was successfully running on CF2023 update 11 but when I went to update 14 Apache Tomcat mod_jk connector stopped working - i've reverted back to update 11 and it still doesn't work - the browser returns 403 ForbiddenI've checked my server.xml, worker.properties, mod_jk_vhost.conf a million times and they seem to be correct.  I changed the Port being used by the connector in case that was a problem. I'm seeing in mod_jk.log:[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 0130 63 68 65 2F 32 2E 34 2E 36 32 20 28 55 6E 69 78 - che/2.4.62.(Unix[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 0140 29 20 4F 70 65 6E 53 53 4C 2F 33 2E 33 2E 32 20 - ).OpenSSL/3.3.2.[Wed Jun 18 08:31:41 2025] [301783:140594684778048] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1368): 0150 6

Hello - Developer edition of CF 2025 running locally on a Mac (OS = Sequoia 15.5). DMG installer. A CFQuery to an MS SQL Server datasource produces this error message: 'Error Executing Database Query. The sqlserver package is not installed. You can install the package through the CLI package manager (/Applications/ColdFusion2025/cfusion/bin/cfpm.sh) by running the command : install sqlserver.'The Packages section of the CF Administrator shows that the sqlserver package already is installed. Same if I attempt an install via the CLI package manager. I've also uninstalled and re-installed the package. Any thoughts?(The query runs without error on CF 2016 or 2018. The datasource verifies in the Administrator (i.e., the 'OK' message.)

We're in the process of migrating from CF2021 to CF2023, and so far everything has been going well except for getting a REST service registered. Using the same path and service mapping as we did in CF2021 we are getting the following error:Error registering REST service. Please ensure that you have entered a proper mapping and path. Application Calendar could not be initialized. Reason: Cannot invoke "java.lang.Boolean.booleanValue()" because "skip" is null Cannot invoke "java.lang.Boolean.booleanValue()" because "skip" is null In trying to research this, I came across what appeared to be an identical case on the bug tracker (CF-4220013 | Tracker (adobe.com)), which was withdrawn as a duplicate of another issue. However, that other issue (CF-4219459 | Tracker (adobe.com)) loads with a page that says "No issue found." I can't seem to find anything else that helps. Is this an actual bug? Has anyone else run into this? Has anyone else solved it?