Given the that you had the same problem around the same time of year, and it went away, my guess is that you have some memory heavy code that is only used seasonally.   Look at the web server logs and see if there are any pages that are primarily accessed at this time of year.  Then look at the code. You might have a big loop that is adding variables on each iteration, or you might be adding varaibles to a scope such as (session, application, or server) which are not allowed to be garbage collected until they timeout.   Check and see how long your session timeout is - if it is super long (the default is 20 min), then every new visitor or bot request is going to have memory overhead for the duration of the session.    The traffic numbers from google analytics aren't crazy high, most applications would be able to handle that no problem with the amount of heap you have, so that's why I think it is more likley a code or session duration issue.  Keep in mind that bot traffic may or may not show up on google analytics.  ... View more

Thanks Tim - good catch - I have fixed that ... View more

In this mod_jk.log - It looks like ColdFusion/Tomcat is returning the 403 Forbidden. I see this response from the request of /test.cfm: ajp_connection_tcp_get_message::jk_ajp_common.c (1563): received from ajp13 pos=0 len=17 max=65536 ajp_connection_tcp_get_message::jk_ajp_common.c (1563): 0000 04 01 93 00 09 46 6F 72 62 69 64 64 65 6E 00 00 - .....Forbidden.. ajp_connection_tcp_get_message::jk_ajp_common.c (1563): 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ................ ajp_unmarshal_response::jk_ajp_common.c (818): (cfusion) status = 403   Does the user ColdFusion is running as have read permission to test.cfm? Anything showing up in any ColdFusion logs or Tomcat's catalina.out log? Does the user ColdFusion is running as have permission to traverse to the directory that test.cfm exists in?  In other words: if your web root is /var/www/html/test.cfm does the CF user have execute (x) permission on /var/www/html/ and /var/www/ and /var/ and /    You can test read permissions using the test command with -r (for read) and the file name. Using the su command to run as the cfuser.  su username -s /bin/bash -c 'test -r /path/to/test.cfm' && echo readable || echo not-readable  Or you could create a check.cfm under the builtin web server (cfusion/wwwroot/) with something like this: <cfdump var="#getFileInfo("/path/to/webroot/test.cfm")#">  Then hit that cfm over the builtin web server. It will output if ColdFusion can read the file or not. ... View more

Did you check the apache error log file? The error you posted doesn't necessarily point me here, but one thing that can sometimes be an issue is file system permissions. Take a look at things like the JkShmFile. If you are on RedHat or a variant with SELinux then you need to make sure files / ports have the appropriate selinux context (eg chcon).  ... View more

I am working on an update to Fixinator which is almost ready for release that has support for compatibility scanning. It will allow you to scan your code to find compatibility issues including things like: Changes to default algorithms in encrypt/decrypt and hash  The DateFormat uppercase D issue The unscoped variable change CFQueryParam cf_sql_int  And more, along with several deprecated / removed features   Stay tuned, it should be ready very soon (a week or two). ... View more

The hotfixes are cumulative, so if you have update 16 chf20210016.jar it would include update 6 as well. Scanners like HackMyCF understand this, what security scanner is telling you this?  ... View more

Yeah, I bet it will help someone else too, thanks for sharing what the problem was. ... View more

Not sure if this would cause the problem, but you are missing the comma after signrequests and before signcertificate in your IDP config.    My next guess would be that the actual signcertificate is not in the correct format. There are different ways to encode the certificate PEM, DER, etc. I think you want to just take a PEM cert, and then remove the BEGIN CERTIFICATE / END CERTIFICATE parts and put everything on one line.    Pete / Foundeo Inc. ... View more

Hi There,   Yes, I have a bunch of CI Scripts for testing CFML code. Here's one for GitLab that uses Fixinator to scan the code for security issues: https://github.com/foundeo/fixinator/wiki/Running-Fixinator-on-GitLab   In that example it isn't started a dev server locally, but here's one that does: https://www.petefreitag.com/item/902.cfm that example is using GitHub Actions, not GitLab, but the general ideas are mostly the same.    Hope that helps! ... View more

It sounds like you might be calling processSAMLResponse() on a page that is not the ACS url. When the IDP authenticates you it POSTs back to the ACS url information that processSAMLResponse is looking for. Based on the error message it sounds like that information is not there. On your ACS page, you can create a session varaible and store the relavent information about the user.    There is also the replay attack prevention feature that makes sure the SAML request id is not used more than once, which does use the ehcache to store the ids by default. I don't know of a way to inspect the ehcache, but there is probably a way to do it. You can also use Redis for the cache, and then you can inspect the redis database using a redis client if you think that is the problem.  ... View more

Just happend to have been down that road before 🙂 Glad you got it working!  ... View more

Yes, it could very well be the cause of that. I have run into similar issues with the java-saml library (which is what CF 2021 appears to be using under the hood), it uses httpServletRequest.getRequestURL() to determine the current URL. So a quick way you can check this is in CFML is like this: <cfoutput>#getPageContext().getRequest().getRequestURL()#</cfoutput> That will output the URL that the SAML library thinks is the current url, so if the scheme doesn't match, or the URL doesn't match exactally it will fail. There are some ways that you can configure tomcat to think it is serving https even though you are on http (only do this if the network between your webserver and CF is secure or is localhost), or you can setup tomcat to use https in your proxy.   Hope that helps! Pete Freitag Foundeo Inc. ... View more

I don't think there is a Standard SQL way to do it, but there different ways to do it on different DB servers. What kind of DB is it? ... View more

That error sounds like you are trying to import the leaf certificate instead of a CA certificate. Perhaps newer versions of java are no longer letting you import leaf certificates into the cacerts file. Are both servers running the same version of java?   For most HTTPS sites these days there are three certificates involved, a Root, Intermediate and a Leaf.  They have this hierarchy:   Root (trusted by browsers)  |-- Intermediate Certificate (signed by root)         |---- Leaf (signed by intermediate, this is the one you pay for, etc)   Both the root certificate and the intermediate certificates are CA Certificates and you should be able to import those without problem.    Adding the system property jdk.security.allowNonCaAnchor=true would only be necessary if the site certificate is a self signed certificate (not signed by a CA, you generated it yourself). If it is not self signed, then you should just import the missing intermediate or root certificate into cacerts instead. All assuming you trust this site, and the CA that signed it's cert that you are trying to connect to. ... View more

I should clarify - when I say usually this problem is caused by missing intermediate cert. That is about 50% of the time, the other 49.9% of the time updating the JVM fixes the problem because old JVM's might not have the latest trusted certificates defined in the cacerts. You stated you had already updated it so I didn't expand on that in my last reply.    There is a small chance (I'm giving that 0.1%) that the cacerts file that the latest JVM has doesn't have a new CA certificate for the site you are trying to connect to. This was a lot more common of a problem many years ago, but I've found over the last 5+ years or so that they have done a very good job at keeping it updated with each release. So I haven't in practice actually seen that problem in many many years, but it's still possible in theory.  ... View more

While importing the cert into the keystore does work, it is not always the best way to solve this problem.   Usually this problem is caused by a server misconfiguration on the server you are trying to cfhttp to. It is probably missing the intermediate certificate, which leads to this error. Some http clients (like your browser) are pretty forgiving of this issues because they are able to cache the intermediate certificates of trused certificate authorities.  This site is the easiest way I've found to check for the missing intermediate cert: https://whatsmychaincert.com/   The reason importing the certificate into cacerts is not a great idea, is because that is for Certificate Authority certificates, meaning you are saying that this certificate you imported is now authorized to sign certificates for any domain. I find it to be necessary to import only if you are using a self signed certificate / ca cert. ... View more

It sounds like part of the problem in your finding is that you are putting the CFID / CFTOKEN in the URL of a GET request after login. To prevent that you should look for a cflocation tag and add the attribute addtoken="false" to it. That will prevent the redirect from appending the CFID / CFTOKEN in the URL.   You can also switch to JEE sessions, and then you could potentially increase the size of the jsessionid in the tomcat settings which would increase the entropy of your session identifier.   Pete Freitag Foundeo Inc.     ... View more

Hi Thorsten,   I can confirm that cfhttp to a site using Let's Encrypt for https does infact work with CF2016, but there are a few things I can think of that might be causing the problem. I think I have summarized them all here in this blog entry: https://www.petefreitag.com/item/852.cfm    The TLDR is: 1) Version of Java you are using might be too old 2) Your server might be missing the intermediate cert in its config, use https://whatsmychaincert.com/ to test it.   Hope that helps Pete Freitag Foundeo Inc. ... View more

While you certaily could roll your own SAML implementation in CFML, if you are not a crypto expert I'd recommend using a library like java-saml https://github.com/onelogin/java-saml    I've done a ColdFusion SAML integration with that library, and can recommend it. It takes care of a lot of the hard parts for you.    You could also use the SAML functions in CF2021 which are built on that same java library.    Pete Freitag Foundeo Inc. ... View more

CFMX_COMPAT is not really a good choice of algorithm to begin with, if I recall correctly it is just an XOR cipher, so it doesn't provide a lot of assurance. Use something strong like AES instead.    I never realized that about the key, I imagine it is only using the first few bits of your key, so anything you add to the end of it doesn't matter - this is just another reason to avoid CFMX_COMPAT in my book.    Pete Freitag Foundeo Inc. ... View more

In this case you would still get the stack trace, because the error is thrown by Tomcat before it hands the request off to CF. ... View more

The easiest way you can mitigate this (and a generally good practice) is to setup a default website on your web server that listens on the IP/port, and does not serve dynamic (CFML, ASP.NET, etc) requests. Then have the web server setup to serve your site only when the host header matches. This has the advantage of catching all the bots that are just hitting random IP addresses, you can simply serve up a static html page with a link to the main site (but really you woudn't be getting any legit human traffic).   As for this issue in Tomcat, it appears that because it is a URL parsing issue Tomcat is unable to know which web application should handle the issue. I would have though that having the <error-page> defined for status 400 would be sufficient, but according to this thread: https://stackoverflow.com/questions/52814582/tomcat-is-not-redirecting-to-400-bad-request-custom-error-page you would have to use the ErrorReportValve to catch this in Tomcat and display a friendly HTML page.   Hope that helps!   Pete Freitag Foundeo Inc. ... View more

Just want to add, since it was not mentioned that CF9 has reached end of life many years ago. That means it presumably has security holes that are not patched, and will never receive any future security update. You really should not be using CF9 in production anymore (CF2016 & CF2018 are still supported currently). ... View more

It sounds like you may need to configure the RemoteIpValve in Tomcat to let it know that the request was proxied over a secure transport: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve    Pete Freitag Foundeo Inc. ... View more