Are the ColdFusion2023 updates supposed to update java as well?

very interesting and thanks!  Although the video explaintion on how to upgrade Java may be a problem for me.  It seems like it will leave the old version of Java at D:\ColdFusion\jre.  I believe our scanners will still find this old version of Java and declare it as a vulnerability. 
Do you think I could do this instead?
1)  stop ColdFusion service(s)
2) delete  the "jre" folder under D:\ColdFusion2023  (or temporaliy rename 'jre' to 'jre_bak')
3) extract the lastest Java version (17.0.10)  found at   cfdownload.adobe.com/pub/adobe/coldfusion/java/java17/java17012/jdk-17.0.12_windows-x64_bin.zip  to D:\ColdFusion2023\jre directory
4) Restart the server

and test everything?  Thanks for any assistance you may be able to proved!  🙂
 

You could. Just understand that:

• Your scanners will still find the renamed folder, so you'll want to delete that if it's a concern
• If you do that, you will lose the ability to easily revert to the original jre. But if you're comfortable taking responsibility for all this, you can find the 17.0.6 version at oracle, via links I offer in my resources
• Otherwise I'd propose you wait a few days before deleting the renamed folder 

Thanks so much!

Glad to have helped, and thanks for having marked my first reply as the "answer". That's more valuable than many appreciate. 🙂 

@BILL314613570ssy , Like Charlie, I would also answer no to the question whether ColdFusion updates do update Java as well. The Java installation at /coldFusion/jre was the latest Java version when ColdFusion was released. It stays there, irrespective of any subsequent update levels. 

It seems like it will leave the old version of Java at D:\ColdFusion\jre.  I believe our scanners will still find this old version of Java and declare it as a vulnerability. 
Do you think I could do this instead?
1)  stop ColdFusion service(s)
2) delete  the "jre" folder under D:\ColdFusion2023  (or temporaliy rename 'jre' to 'jre_bak')
3) extract the lastest Java version (17.0.10)  found at   cfdownload.adobe.com/pub/adobe/coldfusion/java/java17/java17012/jdk-17.0.12_windows-x64_bin.zip  to D:\ColdFusion2023\jre directory
4) Restart the server

 

By @BILL314613570ssy

No, don't delete it! Leave ColdFusion's in-built Java well alone. There may be vital background processes or dependencies that need it.

The question of your scanner declaring /coldFusion2023/jre a vulnerability is, of course, important. However, I don't think there is a pressing need to be preventive here. It is advisable to treat this as a bridge to cross if and when you get there.  

From what you say, I assume you already know how to get ColdFusion to run on a Java version newer than its own. All it takes is to:

• Install the new Java Development Kit (LTS release);
  (Please note that, though you mention Java 17.0.10, the download link you mention is for JDK 17.0.12)
• Edit the file /coldfusion2023/cfusion/bin/jvm-config and change the java.home property accordingly, for example, as follows:

java.home=D:\\path\\to\\JDK_directory

• Restart ColdFusion.

That's it. 

@BILL314613570ssy Maybe it would be worth letting Adobe know about vulnerability finding by logging in a new bug at their https://tracker.adobe.com/ site so maybe they would update the Java version with next ColdFusion update? I agree with @BKBK I would not touch the original folder (even if you test everything now, there is no guarantee next ColdFusion update won't look for it at the original location). Once you point your ColdFusion instances at the new JRE, they will not use the original JRE and will no longer be vulnerable.