CF2021 Update 16

Report · Nov 15, 2024

While reviewing the technotes for Update 16, I noticed a mention about keeping the JDK updated. I understand that ColdFusion supports Java 11, and according to the ColdFusion documentation, it supports versions up to 11.0.25. Currently, I am running Java 11.0.11.

My questions are:

Is there a need to upgrade to a newer version of the JDK?
Has anyone encountered any significant issues or challenges during the upgrade process?

Additionally, if I install the new JDK using the .exe file, can I simply update the path to the /jre folder in the ColdFusion Administrator, restart the server, and test the changes? If there are any issues, would it be possible to revert to the previous version without complications?

Report · Nov 15, 2024

@rickmaz You can continue using JDK 11.0.11, but the server may be vulnerable. We recommend upgrading to 11.0.25.

Follow the below article to upgrade the JDK:

https://coldfusion.adobe.com/2023/08/upgrade-jdk-version-coldfusion-server-updated/

Thanks,

Vikram

Report · Jan 30, 2025

I was running ColdFusion 2021 Enterprise (not sure which update version) on AWS, and was having serious issues with 11.0.25. Had to downgrade to 11.0.21. Any other reports of similar issues ?

Report · Jan 30, 2025

Just to provide additional details...The CF version is 2021.0.18.330341, and the issue is occurring with CFHTTP tag. The error that is occurring is being displayed after executing CFHTTP and doing a <cfdump var="#cfhttp#">. The page is not loading since the very next line is looking at cfhttp.responseheader.status_code, which doesn't exist sine the CFHTTP failed. This is the error shown in the cfdump of cfhttp:

I/O Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Note that with JRE 11.0.21, this error is not occurring. Only with 11.0.25, so it should not be a certificate issue.

Report · Jan 30, 2025

I was able to determine that the issue is with the cacert that is packaged with JRE 11.0.25 that is causing the issues. Just an FYI, this is with a AWS ColdFusion AMI.

Report · Jan 30, 2025

Definitely sounds like a certificate issue to me. Different versions of Java, like different browsers, come with different root certificates. Try downloading the certificate chain (root and intermediate) for the site in question, then installing as described here:

https://docs.oracle.com/cd/E19906-01/820-4916/geygn/index.html

Dave Watts, Eidolon LLC

Report · Jan 31, 2025

@richardl96961282 , if you look at the release notes of the Java versions between 11.0.21 and 11.0.25, you will see that 11.0.25 has a breaking change. The breaking change is: "Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024". I think that that is the cause of your problem.

I have 3 suggestions:

Create a ColdFusion bug report about this. In your report, refer to this forum post.
Upgrade Java to 11.0.24 instead of 11.0.25.
You may decide to disable the security restriction imposed by the breaking change, and to go ahead with a Java 11.0.25 upgrade. As Oracle's release notes say, you will be doing so at your own risk.
To disable the security restrictions in 11.0.25, proceed as follows:

Stop ColdFusion;
Open the following configuration file in an editor: {DIRECTORY_OF_JDK_OR_JRE_THAT_CF_IS_USING}/conf/security/java.security;

Comment out the line

jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS

by replacing it with

# jdk.security.caDistrustPolicies=SYMANTEC_TLS,ENTRUST_TLS

Restart ColdFusion.
Run the CFHTTP code once again and see what happens.

Report · Jan 31, 2025

That's a better suggestion than mine.

Dave Watts, Eidolon LLC

Report · Jan 31, 2025

...I understand that ColdFusion supports Java 11, and according to the ColdFusion documentation, it supports versions up to 11.0.25. Currently, I am running Java 11.0.11.

My questions are:

Is there a need to upgrade to a newer version of the JDK?

Has anyone encountered any significant issues or challenges during the upgrade process?

By @rickmaz

Yes, there is a need to upgrade to a new Java version. As you can see from the Java 11 release notes, there have been many changes and hot fixes since v11.0.11. But you should upgrade ColdFusion 2021's Java according to instructions or advice from Adobe's ColdFusion team.
Yes, some ColdFusion 2021 developers have faced issues resulting from an upgrade of Java 11. See, for example, @richardl96961282 's posts in this thread.

Report · Feb 01, 2025

Richard and Rick, have you both resolved your problems so that you can update to that latest Java? You should be able to: updating the Java underlying cf to the latest update of the version it supports has worked and is working for others currently with these latest versions you refer to.

If the solution for your situation is not what's been offered so far, there are still other possible explanations. Rather than bore you/readers herebwith that, let's hear how it's gone for you so far.

/Charlie (troubleshooter, carehart. org)