Best practices for JRE updates in Coldfusion?

Question

We're running Coldfusion 2018 at the latest patch level, and have been notified by our security folks that we're using a vulnerable version of the JRE (1.11.0_01).  I'm new to administering Coldfusion and wanted to know what the best practices are for performing JRE updates.  Should we be expecting updates to be included in the Coldfusion updates (I assume not, given how behind we are)?  If not, should we only be applying versions available here (https://www.adobe.com/support/coldfusion/downloads.html)?  Is this a good reference on how to apply the updates? (https://www.petefreitag.com/item/860.cfm)

Charlie Arehart · Accepted Answer

To answer your questions, no, yes, yes. [Edit: initially I said "no" as the last answer, but that was clearly a mis-typing, as supported by what I said below about Pete's helpful post.]

And if you show running 11.0.1, you can see that's clearly NOT "the latest", even as offered on that Adobe page, specifically the section on Java downloads (though good news is that the page DOES show the current latest, which is 11.0.13 at the moment. )

And to be clear, that's the latest update to Java 11, not the latest Java version available, which is 17 (which is not yet supported by CF). To be clear, Adobe supports you running cf2021 and CF2018 at the latest update for Java 11. Some future update will allow us to move to Java 17.

And FWIW, only new cf installers ever implement a new jvm version (in terms of what comes with CF), so yes, you are expected to keep it updated. Pete's post will help. So can I, with still more info and resources at carehart.org/cfupdate (covering also jvm updates and more).

BKBK · Answer

We're running Coldfusion 2018 at the latest patch level, and have been notified by our security folks that we're using a vulnerable version of the JRE (1.11.0_01).

By @Matthew22377144yk0g

Is that the correct version? Do you perhaps mean 11.0.01?

I'm new to administering Coldfusion and wanted to know what the best practices are for performing JRE updates.

Best practice: use the latest Java version that the Adobe ColdFusion team recommends for your ColdFusion version. That version is JAVA SE 11.0.13 (LTS) for ColdFusion 2018.

Should we be expecting updates to be included in the Coldfusion updates (I assume not, given how behind we are)?

No, in general, ColdFusion updates do not include Java updates. However, Java updates could implicitly be included in ColdFusion updates. By this I mean that the ColdFusion Team may take into account a change in Java or a new Java feature when developing a ColdFusion update. When the team does, it usually publishes the necessary notification and documentation on the web.

If not, should we only be applying versions available here (https://www.adobe.com/support/coldfusion/downloads.html)?

Yes.

Is this a good reference on how to apply the updates? (https://www.petefreitag.com/item/860.cfm)

Yes, it is a good reference on updates. But there are 2 points to make:

I wouldn't say it is a reference on how to apply updates.
The remark on ColdFusion 2021, "Ships with Azul Zulu 11 after July 21, 2021", is outdated. Adobe did postpone the move to Azul Zulu. As a result, ColdFusion 2021 is still on Oracle JDK.

Nevertheless. Pete Freitag is a major force in ColdFusion and you will meet him again in the following references on how to update ColdFusion's Java (pictures speak louder than words, so we begin with videos):

https://www.youtube.com/watch?v=zzC31EAlZ8Y
https://www.youtube.com/watch?v=aW2tL1GMXB0
https://coldfusion.adobe.com/2014/09/how-to-change-upgrade-jdk-version-of-coldfusion-server/
https://helpx.adobe.com/coldfusion/kb/change-coldfusion-jvm.html

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded