• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Best practices for JRE updates in Coldfusion?

Explorer ,
Jan 10, 2022 Jan 10, 2022

Copy link to clipboard

Copied

We're running Coldfusion 2018 at the latest patch level, and have been notified by our security folks that we're using a vulnerable version of the JRE (1.11.0_01).  I'm new to administering Coldfusion and wanted to know what the best practices are for performing JRE updates.  Should we be expecting updates to be included in the Coldfusion updates (I assume not, given how behind we are)?  If not, should we only be applying versions available here (https://www.adobe.com/support/coldfusion/downloads.html)?  Is this a good reference on how to apply the updates? (https://www.petefreitag.com/item/860.cfm)

Views

637

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , Jan 10, 2022 Jan 10, 2022

To answer your questions, no, yes, yes. [Edit: initially I said "no" as the last answer, but that was clearly a mis-typing, as supported by what I said below about Pete's helpful post.]

 

And if you show running 11.0.1, you can see that's clearly NOT "the latest", even as offered on that Adobe page, specifically the section on Java downloads (though good news is that the page DOES show the current latest, which is 11.0.13 at the moment. )

 

And to be clear, that's the latest update to Java 11, n

...

Votes

Translate

Translate
Community Expert ,
Jan 10, 2022 Jan 10, 2022

Copy link to clipboard

Copied

To answer your questions, no, yes, yes. [Edit: initially I said "no" as the last answer, but that was clearly a mis-typing, as supported by what I said below about Pete's helpful post.]

 

And if you show running 11.0.1, you can see that's clearly NOT "the latest", even as offered on that Adobe page, specifically the section on Java downloads (though good news is that the page DOES show the current latest, which is 11.0.13 at the moment. )

 

And to be clear, that's the latest update to Java 11, not the latest Java version available, which is 17 (which is not yet supported by CF). To be clear, Adobe supports you running cf2021 and CF2018 at the latest update for Java 11. Some future update will allow us to move to Java 17.

 

And FWIW, only new cf installers ever implement a new jvm version (in terms of what comes with CF), so yes, you are expected to keep it updated. Pete's post will help. So can I, with still more info and resources at carehart.org/cfupdate (covering also jvm updates and more). 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 11, 2022 Jan 11, 2022

Copy link to clipboard

Copied

Thanks for the information and for sharing your site!  This is all really helpful information.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 11, 2022 Jan 11, 2022

Copy link to clipboard

Copied

Glad I could help, and thanks for the feedback. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 25, 2022 Jan 25, 2022

Copy link to clipboard

Copied

Since there's already another update since I posted this, I'm curious about the best practice around keystores.  Do you tend to create new keystores and re-import certs with each update, or is it a better practice to move the keystores out of the JVM folder and reuse the same one?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 25, 2022 Jan 25, 2022

Copy link to clipboard

Copied

Yep, the JVM gets updated about quarterly, and a new one came out just last week (here's a post I did on that).

 

So to your question, I'd say that it's best FIRST to make sure whether you MUST bother importing certs at all. Some people "drag those around" from JVM update to JVM update (importing them again and again) needlessly. It may be that all they need is a new JVM. I discuss both points in this post.

 

Also, you ask about possibly re-using the same keystore. Let me be clear: first, if you import a cert into the keystore of the JVM (the cacerts file, in the lib/security folder of whatever JVM you import into--which should be the one that CF is pointing to), you are ADDING that cert to whatever is ALREADY in that keystore/cacerts file. The JVM update often does UPDATE what IT puts in that file by default (root and intermediate certs, mostly.)

 

So beware falling into the trap of copying a cacerts out of one JVM and putting it into another. In doing that, you are removing your access to the beneficial new certs that the new JVM had implemented by default. Yes, this does mean that you have to import any NEEDED certs over and over when you move to a new JVM.

 

That takes me back to my previous point: make sure you really NEED the certs you are importing.  I have helped many people who had been doing that for years sometimes, and I said "let's just leave that cert out", and their app (the part they thought "needed" that cert) just worked. Again, often they had been misled by well-meaning people who (over many, many years) have proposed that the solution to an SSL/TLS problem was "you need to import a new cert", when instead maybe all they REALLY needed was to update their JVM (and its default certs).

 

But sure, if you MUST import a cert, then yep, it's a bit of a hamster wheel you have to run with each new JVM update, to re-import the cert.

 

Make sense? If I'm wrong or failing to state some other alternative that anyone knows, I'm open to being schooled. I'm simply sharing what's worked with hundreds of folks I've helped before.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 25, 2022 Jan 25, 2022

Copy link to clipboard

Copied

Hi Charlie - thanks for the quick response.  In our case we definitely need the certs, as they are for our database servers.  We typically create a new keystore file and import the certs into that keystore (not the cacerts) - we then directly reference our own keystore in the database connection configuration.  In that case, it sounds like we could reuse the same file, since we're not touching cacerts?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 25, 2022 Jan 25, 2022

Copy link to clipboard

Copied

There you go. If you a) NEED them and b) need the for a specific purpose (like a DB) where you can point THAT need to a SPECIFIC keystore, then go for doing that, yes. It wasn't clear if this was what you meant. Far more people fight with keystores and certs for the other reasons I laid out.

 

As such, in your case, no you would NOT need to change anuything with a move to a new JVM. So that's good news. 🙂


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 25, 2022 Jan 25, 2022

Copy link to clipboard

Copied

LATEST

Great - this definitely helps reduce the workload!  Thanks again!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 11, 2022 Jan 11, 2022

Copy link to clipboard

Copied

 

We're running Coldfusion 2018 at the latest patch level, and have been notified by our security folks that we're using a vulnerable version of the JRE (1.11.0_01). 


By @Matthew22377144yk0g

Is that the correct version? Do you perhaps mean 11.0.01?

 

I'm new to administering Coldfusion and wanted to know what the best practices are for performing JRE updates. 

Best practice: use the latest Java version that the Adobe ColdFusion team recommends for your ColdFusion version. That version is JAVA SE 11.0.13 (LTS) for ColdFusion 2018.

 

Should we be expecting updates to be included in the Coldfusion updates (I assume not, given how behind we are)?  


No, in general, ColdFusion updates do not include Java updates. However, Java updates could implicitly be included in ColdFusion updates. By this I mean that the ColdFusion Team may take into account a change in Java or a new Java feature when developing a ColdFusion update. When the team does, it usually publishes the necessary notification and documentation on the web.

 

  If not, should we only be applying versions available here (https://www.adobe.com/support/coldfusion/downloads.html)? 

 

Yes. 

 

  Is this a good reference on how to apply the updates? (https://www.petefreitag.com/item/860.cfm)

Yes, it is a good reference on updates. But there are 2 points to make:

  1.  I wouldn't say it is a reference on how to apply updates.  
  2.  The remark on ColdFusion 2021, "Ships with Azul Zulu 11 after July 21, 2021", is outdated. Adobe did postpone the move to Azul Zulu. As a result, ColdFusion 2021 is still on Oracle JDK. 

 

Nevertheless. Pete Freitag is a major force in ColdFusion and you will meet him again in the following references on how to update ColdFusion's Java (pictures speak louder than words, so we begin with videos):

 

https://www.youtube.com/watch?v=zzC31EAlZ8Y
https://www.youtube.com/watch?v=aW2tL1GMXB0
https://coldfusion.adobe.com/2014/09/how-to-change-upgrade-jdk-version-of-coldfusion-server/
https://helpx.adobe.com/coldfusion/kb/change-coldfusion-jvm.html

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation