I tried to submit a trouble-ticket on the tracker.adobe.com, but I’m getting a 500 error. Yay.
Does anyone have any information on ColdFusion 2023 Enterprise and the Microsoft Visual C++ 2012 Redistributable?
This specific redistributable has reached End of Life (EOL) and is no longer supported or patched by Microsoft. Utilizing EOL software directly violates Risk Management Framework (RMF) and Department of Navy cybersecurity requirements. This outdated dependency unnecessarily increases the system’s attack surface area.
Correct answer Charlie Arehart
Robert, I have good news for you, as for your observation of the CF2023 installer requiring install of VC++ Redist 2012. It’s that this is a reflection of your having the original CF2023 installer.
A new one was indeed subsequently released in Oct 2023 (they call them “refreshed” installers), and that one DOES implement the 2015-2022 redist (AND it came pre-configured with what was then the latest CF2023 update 5 and also offered still other enhancements requiring a new installer).
If anyone wants proof, here is a screenshot of my running that later installer (which I’ve kept around) just now:
So I suspect you’re using an installer that you either have long had or that someone in your org gave you. Perhaps they’d never noticed or cared about the 2012 redist. Now you do, and good for you.
To be clear, such "refreshed" installers are not "upgrade installers", which one applies against a current cf installation. (We've not had any of those since the move to cf10 and tomcat, in 2012. The last one was one for cf9.0.1, I recall.) Instead, someone wanting to have the new underlying benefits of the new installer (like this upgraded vc++ redist, or new os support, would get those only by installing cf anew with the new installer.
So how to get the newer installer? Well, since you work for DOD, I suspect you won’t want it from me, nor will you want it from the community-managed cfmlrepo.com site (which has that and the original CF2023 installer, and installers back to CF 1.5).
So instead, you should go to your powers-that-be to have them download it from Adobe. To be clear, once a new version of CF comes out, they remove the links on the public site for the installers of the previous version.
But whoever licensed CF would have been given a link by Adobe to an online Adobe repo (requiring a login that that person would have been given), and THAT would have the later installer.
Finally I realize you (or others reading this) may be in a situation where you “have no idea who bought CF”, in which case it seems your final option would be to send a note to cfsup@adobe.com. Perhaps if you explain the situation to them they may offer you a link for the installer at adobe.com (which your security folks should be more willing to trust).
Hope that either gets you going, or gives you hope that you should soon be able to get going.
If nothing else, it counters the contention that CF2023 has an “outdated dependency” (from your original post) or answers your question of “whether they ever have a plan to update the version because it is no longer supported by MS which is a security risk” (from your most recent comment in reply to bkbk). It’s the the ORIGINAL installer had that problem, but they DID update it.
Robert, I have good news for you, as for your observation of the CF2023 installer requiring install of VC++ Redist 2012. It’s that this is a reflection of your having the original CF2023 installer.
A new one was indeed subsequently released in Oct 2023 (they call them “refreshed” installers), and that one DOES implement the 2015-2022 redist (AND it came pre-configured with what was then the latest CF2023 update 5 and also offered still other enhancements requiring a new installer).
If anyone wants proof, here is a screenshot of my running that later installer (which I’ve kept around) just now:
So I suspect you’re using an installer that you either have long had or that someone in your org gave you. Perhaps they’d never noticed or cared about the 2012 redist. Now you do, and good for you.
To be clear, such "refreshed" installers are not "upgrade installers", which one applies against a current cf installation. (We've not had any of those since the move to cf10 and tomcat, in 2012. The last one was one for cf9.0.1, I recall.) Instead, someone wanting to have the new underlying benefits of the new installer (like this upgraded vc++ redist, or new os support, would get those only by installing cf anew with the new installer.
So how to get the newer installer? Well, since you work for DOD, I suspect you won’t want it from me, nor will you want it from the community-managed cfmlrepo.com site (which has that and the original CF2023 installer, and installers back to CF 1.5).
So instead, you should go to your powers-that-be to have them download it from Adobe. To be clear, once a new version of CF comes out, they remove the links on the public site for the installers of the previous version.
But whoever licensed CF would have been given a link by Adobe to an online Adobe repo (requiring a login that that person would have been given), and THAT would have the later installer.
Finally I realize you (or others reading this) may be in a situation where you “have no idea who bought CF”, in which case it seems your final option would be to send a note to cfsup@adobe.com. Perhaps if you explain the situation to them they may offer you a link for the installer at adobe.com (which your security folks should be more willing to trust).
Hope that either gets you going, or gives you hope that you should soon be able to get going.
If nothing else, it counters the contention that CF2023 has an “outdated dependency” (from your original post) or answers your question of “whether they ever have a plan to update the version because it is no longer supported by MS which is a security risk” (from your most recent comment in reply to bkbk). It’s the the ORIGINAL installer had that problem, but they DID update it.
We were late to the ColdFusion 2023 Enterprise party for a variety of reasons, and I can confirm that it was post-2023. I don’t recall if it was one we downloaded directly from our Adobe account or the website. Regardless, it is most likely the later version.
Based on your assessment, we most likely installed the Microsoft Visual C++ 2015-2022 Redistribution package.
The package is probably left over from the previous ColdFusion version we installed (2018) or some other application.
Unfortunately, there is no good way to determine what, if anything, is actually using the application. My understanding is that we may need to use a process explorer to see if the package is being used by anything and determining what that anything is. If it doesn’t appear to be used, uninstall it and see if anything breaks. Fun times!
I tried that site as I mentioned in my original post. When I select ColdFusion, it just spins. I hit F12 and I can see there’s a 500 error from the site.
The update level doesn’t matter because ColdFusion 2023 Enterprise has a solid dependency on Microsoft Visual C++ 2012 and they have never updated it.
My query is whether they ever have a plan to update the version because it is no longer supported by MS which is a security risk.
AdChoices