Skip to main content
P
Paul29360745kjc0
Participant
April 12, 2023
Question

Coldfusion 9 and Server 2012 upwards

  • April 12, 2023
  • 3 replies
  • 534 views

I am not sure if anyone is old enough to remember Coldfusion 9? I need to come up with a tactical plan to remediate a security issue with an enteprise app using Coldfusion 9, wrapped in .Net running on Server 2008.

Have a strategic plan however need to buy 24 months for it to be in place and the tactical is to try and re-deploy it to server 2012 or 2016 with as little code work as possible.

I understand that only 2008 is supported for CF9 however has anyone tried deploying it to Server 2012 onwards? What issues are encountered?

 

Any help would be appreciated.

    This topic has been closed for replies.

    3 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    April 14, 2023

    Hi @Paul29360745kjc0 ,

    To answer your question, no, you cannot deploy ColdFusion 9 on a Windows Server version that is higher than 2008. The best you can get is Windows Server 2008 R2. Carl Von Stetten tells you a bit more in a previous thread on the subject.

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    April 14, 2023

    Not so. See my reply above.

     

    As I clarify there, it's not WISE, but technically it CAN be done with the steps outlined in the resources I pointed to. I've done it and had helped people do it in the past. 

    /Charlie (troubleshooter, carehart. org)
    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    April 17, 2023

    @Charlie Arehart : Let's agree to disagree. 

     

    @Paul29360745kjc0 : I shall now expand on my reason for saying that "you cannot deploy ColdFusion 9 on a Windows Server version that is higher than 2008". Think of ColdFusion 9 as the red node in the network pictured here. Think of the green nodes as the various technologies integrated in the ColdFusion platform. For example, Windows Server, database, and so on. The lines in the picture indicate the possible interactions, depending on the application being run.

    When Adobe engineers do a release, they perform an integration test of the whole, using a diverse range of applications and settings. That way they can test the practically countless ways in which the nodes interact with each other. That is the basis for the engineers' choice of the list of technologies to publish as the well-known "support-matrix". In this case, the support-matrix recommends Windows Server 2008 (R2).

     

    You may of course be able to get CF9 and Windows Server 2012 to work together. Which will be equivalent to an optimization along the direct line between the CF9 node and the Windows Server 2012 node. But that is only a narrow view of the ColdFusion 9 application server. There is no mention of an integration test. So this proposal does not take into account the many possible paths that may indirectly link CF9 with Win Server. 

     

    You say you want "to come up with a tactical plan to remediate a security issue with an enteprise app". I think there are three considerations:

    1.  From an engineering point of view, the combo CF9 + Win Server 2012 will fail sooner or later - for the reason I have given;
    2. As Dave has pointed out, the fact that CF9 and Win Server 2012 have both been phased out has severe security implications. This is contrary to the tactical advantage you are aiming for.
    3. With the integration-tested combo CF9+Win Server 2008(R2) you at least stand a chance.

     

       

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    April 12, 2023

    This has a super bad smell to it. Can you run CF 9 with the latest updates safely today on IIS? Yes, but it's pretty difficult and unsupported by Microsoft, and you REALLY have to pay attention to the CF security guide. What about security issues in Windows Server 2012? You have to pay annually for extended security updates for up to three years for that, and will no longer receive mainstream support (non-security patch fixes). You could try Windows Server 2016, which is also no longer receiving mainstream support as of 11 January 2022. I think you might be better off making the jump sooner rather than later, instead of waiting two years. You can probably work through any CFML code issues much quicker than that. If you can't do that, maybe you can migrate the whole thing to an Azure VM where you'll get free extended security support.

     

    Also, what do you mean "Coldfusion 9, wrapped in .Net running on Server 2008"? What does "wrapped in .Net" mean exactly? Is CF directly interacting with .NET through the JNBridge .NET proxy bundled with CF, or are you just running a web application where some requests are handled by CF and others by .NET? Are you going to have to update your .NET code for Windows Server 2012 or 2016?

     

    Dave Watts, Eidolon LLC

    Dave Watts, Eidolon LLC
    P
    Paul29360745kjc0Author
    Participant
    April 13, 2023

    Very quick reply, All valid points above and do not disagree. Basically we need to go through an upgrade (Possible replacement) business, funding and execution process which is why 12-24 months is realistic.

    We have a major constraint around Server 2008 which is todays driver.

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    April 17, 2023

    Well, here are some options for you.

     

    1. Try to get CF 9 running on Windows Server 2012 using IIS 8. This is probably difficult because of the connector versions and the lack of support for JRun in Windows Server 2012. But it's probably doable, especially with the links Charlie provided. If I had to try without any research, my guess would be that installing the IIS 6 metabase compatibility stuff:

     

    https://serverfault.com/questions/469388/install-iis-6-management-compatibility-on-iis-8-windows-2012

     

    2. Install CF 9 on Windows Server 2012 without IIS. This would involve using the built-in JRun web server on TCP/80 and TCP/443. This should be pretty easy to install, as long as you don't actually need IIS functionality. The built-in JRun web server contains ... minimal functionality, let's say.

     

    3. Install CF 10 (TEN) on Windows Server 2012 or higher. This is kind of a problem because you have CF 9! But you could buy a CF 2021 license, then "downgrade" to CF 10 and install that instead. Then, when you have the ability to upgrade to CF 2021 again, I think (THINK) you can do that for free. Of course, Adobe probably doesn't have CF 10 lying around, but you can go to CFML Repo for that (https://www.cfmlrepo.com/). CF 10 isn't supported by Adobe either, but it should be less yikes than CF 9. And things should generally work I think.

     

    4. Go whole hog and upgrade everything now! See what breaks on your legacy app, and figure out how long it'll take to fix it. You should probably be doing that already, in parallel to what you're talking about here. You might find you don't need two years! Or maybe you will!

     

    Dave Watts, Eidolon LLC

    Dave Watts, Eidolon LLC
    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    April 12, 2023

    Yes, you can run cf9 on those or even later, and there should be no code-related changes required, though you WILL encounter install/config issues which can be resolved with guidance I'll point to. 

     

    All that said, you say you're doing this is to address a security concern. Are you acknowledging the grave security risk merely from running on cf9? Since it's not gotten any updates since 2013, thats 10 years of updates and security fixes that later versions got which cf9 did not and never will. Even cf2016 stopped getting them in 2021 (5 years after its release), and cf2018 will stop getting them in July.  Here is a post I did in 2021 on a ransomeware attack on cf9 that you should take care to consider:

    https://www.carehart.org/blog/2021/10/11/beware_ransomware_attacks_cf9_and_earlier

     

    I suppose part of your long-term plan may be to either get cf updated or move off it entirely (or to Lucee), and you seek this "stay of execution" for the next 24 months. I'm just warning you that you may realistically get knifed while in this "prison" of your choosing (even if you've "survived to this point").

     

    So moving on, here are several resources that have led people through the minefield of running cf9 on windows 2012 or above (some cover cf10 but the same concepts apply, as its first installer in 2012 did not yet support it) :

     

    Finally, once you do get cf installed, the next challenge will be integrating it with iis, as the cf wsconfig tool will not recognize the iis 8 or 8.5 you'll be running. That's addressed in some of the above, or elsewhere such as these:

     

    BTW, I've confirmed that all those work as of today (I've had them in notes about all this which I've gathered over the years, helping people.) 

    /Charlie (troubleshooter, carehart. org)
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices