• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

ColdFusion 2021 conflict between Sandbox Security and Java 11.0.11

Explorer ,
Jul 15, 2021 Jul 15, 2021

Copy link to clipboard

Copied

Have installed ColdFusion 2021 with update 1, on 64-bit Windows server 2019 Datacenter.  I can either run it with Java 11.0.11 from Adobe, or with sandbox security (with Java 11.0.1), but the ColdFusion Application Service will not start if I have both Java 11.0.11 and sandbox security.

TOPICS
Getting started , Security , Server administration

Views

2.3K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Community Expert , Jul 16, 2021 Jul 16, 2021

Hi, guys. I can offer a workaround for now. (I've confirmed experiencing the same issue, that CF won't start if running Java 11.0.11 with CF Sandbox Security enabled.) The workaround is to add this JVM argument to the CF startup args (in CF's jvm.config or the java args in the CF Admin), and then restart CF):

-Djdk.lang.Process.allowAmbiguousCommands=true

 

As for what led me to even consider that, you can see it's new for Java 11.0.11 specifically, and it's purpose discussed briefly as one of the "other notes" in the release notes for Java 11.0.11

...

Votes

Translate

Translate
Adobe Employee ,
Jul 15, 2021 Jul 15, 2021

Copy link to clipboard

Copied

Hi Michael,

 

Let me try this.

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 15, 2021 Jul 15, 2021

Copy link to clipboard

Copied

Thanks!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jul 15, 2021 Jul 15, 2021

Copy link to clipboard

Copied

Hi Michael,

 

I can reproduce the issue at my end. When I ran it from command line, it is getting stuck at sqlserver. Let me log a bug for this and find out if there is a workaround to it.

 

PriyankShrivastava_0-1626376041705.png

 

 

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jul 15, 2021 Jul 15, 2021

Copy link to clipboard

Copied

I have logged a bug for this issue and raise it to the development team. As soon as I hear from them, I will update the thread. In the meantime, you can use jdk11.0.10 or lower. 

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 15, 2021 Jul 15, 2021

Copy link to clipboard

Copied

Thanks for looking into this, confirming the issue, and logging the bug.  I wish that I could run a lower version of Java, but my organization has strict security monitoring, and if my server was running a lower version of Java than the most current, they would consider my server to be in violation.  I will, however, ask if they would grant an exception until this bug is fixed or a workaround is found.

 

Thanks again!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 16, 2021 Jul 16, 2021

Copy link to clipboard

Copied

Hi, guys. I can offer a workaround for now. (I've confirmed experiencing the same issue, that CF won't start if running Java 11.0.11 with CF Sandbox Security enabled.) The workaround is to add this JVM argument to the CF startup args (in CF's jvm.config or the java args in the CF Admin), and then restart CF):

-Djdk.lang.Process.allowAmbiguousCommands=true

 

As for what led me to even consider that, you can see it's new for Java 11.0.11 specifically, and it's purpose discussed briefly as one of the "other notes" in the release notes for Java 11.0.11. You'll see also that it's specific to when a Java "security manager" is enabled.

 

When we enable the CF Sandbox Security feature, we are indeed causing CF to enable that java security manager, which CF configures for us.

 

As for why the arg to "allowAmbiguousCommands" is needed with CF, we will likely need to leave that with Priyank and the team to sort out. Perhaps there's something that CF startup code is doing that trips over the problem, which this change fixes, but which ultimately they can correct so the arg is no longer needed.

 

As for looking into the issue further, I'll note a couple other things:

  • Priyank, wouldn't that message you show mean not that the sql server module was hanging things up (since it says it was "not installed"), but ratehr that whatever would have been NEXT to be loaded, or processed in the startup? FWIW, when I look at my own cf2021 setup (full install), the logs show that the odbc module would have been loaded next. Micheal or Priyank, I'd be curious when you look at your working implementation (with 11.0.1), what do you show in the logs as being loaded after the sql server module?
  • FWIW, I can confirm this is indeed definitely about 11.0.11. I tried using 11.0.10 with Sandbox Security, and all worked. 
  • And in case any may ask, this is NOT about the new "feature" added in 11.0.11, whereby the JVM (and therefore CF) is not allowed to call out to servers running TLS 1.1 or 1.0. While there is provision in the JVM update to configure the JVM to allow such calls (see any of many resources on that, from the JVM 11.0.11 release notes to blog posts from Pete Freitag and myself), I can confirm that I made that change, and still CF would not start with 11.0.11 and Sandbox enabled--unless I added that arg above.

 

But while we await Adobe resolving the root cause, this workaround will at least allow you to run 11.0.11 while also using the Security Manager. I'd love to hear from either of you if you confirm this and/or find any issues I have not.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jul 16, 2021 Jul 16, 2021

Copy link to clipboard

Copied

Hi Charlie,

 

I tried the argument which you shared and indeed it worked so Thank you for that. I wanted to show Michael, that is getting stuck at some point. My intention was not to point to a particular package. Before I responded to the above thread and opened a bug, I tried this in 2 different machines and it was getting stuck in different packages or loading another module. So it was clear to me that it is not the package but something else is causing the issue. I did not mention this in the bug that I opened internally. 

 

 

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 17, 2021 Jul 17, 2021

Copy link to clipboard

Copied

Great to hear.

 

And while you say here, "My intention was not to point to a particular package", it was simply because you had said, "it is getting stuck at sql server" that I commented on that at all. 🙂 But thanks for the clarification.

 

Finally, I hope we hear from Michael confirming it works for him, and then we'll await word from you on if the team may find what was amiss. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 19, 2021 Jul 19, 2021

Copy link to clipboard

Copied

Thanks!

 

After adding that argument, the ColdFusion Application service starts up without any problems, and it is running Java 11.0.11 and SandBox Security is enabled.

 

Mike

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jul 22, 2021 Jul 22, 2021

Copy link to clipboard

Copied

Hi Michael,

 

We have fixed the issue, it was something related to ODBC. If you would like, I can share the patch with you. 

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 22, 2021 Jul 22, 2021

Copy link to clipboard

Copied

Hi Priyank,

 

That would be great if you could share that patch.

 

Since I last posted that CF2021 was working with Java 11.0.11 with the Java argumen -Djdk.lang.Process.allowAmbiguousCommands=true, things have changed. With that setup, I could not run the CF Lockdown program, as it said this version of Cold Fusion is not supported. I was working on manually setting CF to be secure, but at some point the submenus which appear at the top of each CD admin screen disappeared.  I uninstalled and reinstalled CF2021, moved to Java 11.0.10 and the Java argument, and was able to run the lockdown program.  After enabling sandbox security, the CF app service would not start.  Changing to Java 11.0.10 did not help, so I uninstalled CF 2021. I have been unable to uninstall the CF lockdown program.

 

Is there a way to uninstall the CF lockdown application?  Is anyone else experiencing problems like this?  Would I have a more stable environment if I was using CF2018?  If the CF lockdown application can't be uninstalled, I think the OS will need to be reinstalled on a clean server.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jul 23, 2021 Jul 23, 2021

Copy link to clipboard

Copied

Hi Michael,

 

Let me engage someone from my team to help you with the initial setup with CF2021. Please check your DM.

 

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 29, 2021 Sep 29, 2021

Copy link to clipboard

Copied

Hi,

 

My ColdFusion 2021, update 1 and the special patch for recent Java versions, was running with Java 11.0.12 and sandbox security.  After running update 2, I can once again either have Java 11.0.12 or sandbox security, but not both.  Is it possible that update 2 wiped out the benefit of the special Java patch and that update 2 on its own does not support Java 11.0.12?

 

Thanks,

Mike

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 28, 2021 Oct 28, 2021

Copy link to clipboard

Copied

Michael, whatever became of your concern about this jvm arg and 11.0.12 (and sandbox security), with regard to CF2021 update 2? Does that remain? And what about the autolockdown tool issue you raised? Also, Michael, had you tried 11.0.13, which had come out last week

 

And Priyank, did you ever confirm what he was reporting? Was it resolved? 

 

Thanks.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Nov 02, 2021 Nov 02, 2021

Copy link to clipboard

Copied

I was advised by Adobe that the fix for using later versions of Java (11.0.11, 11.0.12) needs to be copied into the appropriate directorry after every CF update, as each update removes all other fixes from the directory.  I have not tried turning on sandbox security again due to time and priority constraints, and have not tried Java 11.0.13 yet.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 02, 2021 Nov 02, 2021

Copy link to clipboard

Copied

Michael, just to be clear, the sandbox security fix was a JVM arg I proposed originally here. And those settings are NOT lost between updates. (What you say is true of any special hotfixes, such as the recent one for query of query issues in the September CF updates).

 

Anyway, I hear you saying you're busy, so I'll leave this as much for other readers to consider in the meantime. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Nov 04, 2021 Nov 04, 2021

Copy link to clipboard

Copied

The sandbox security fix was a jar file which they sent to me.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 26, 2021 Jul 26, 2021

Copy link to clipboard

Copied

[ Following Charlie's comment, I have deleted this post, to avoid any misunderstanding. ]

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 28, 2021 Oct 28, 2021

Copy link to clipboard

Copied

Hey, BKBK, since some folks may fail to notice that your comment here ("pls ignore") is from July 31, and they could misinterpret what it is you're proposing they "ignore", can you clarify that that was referring to? It's just that I don't see any other comment of yours, in this thread. (I see he later revised his message to better clarify that he'd first written a note then wrote that "ignore" over it, and then finally revising it to what shows above now.) 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 31, 2023 Aug 31, 2023

Copy link to clipboard

Copied

FWIW, I've been seeing this same problem upgrading from CF2018 to CF2023. We've used Sanboxing for years but as soon as we turn it on with CF2023, the instances won't startup. The jvm argument Charlie recommended seems to resolve the problem (-Djdk.lang.Process.allowAmbiguousCommands=true).

 

Not sure anyone will see this old message but if there's a better resolution for CF2023, would be great to hear.

 

Thanks Charlie,

 

Ken Wilson

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 09, 2024 Mar 09, 2024

Copy link to clipboard

Copied

We are experiencing this same issue on fresh CF2023 installs when attempting to enable Security Sandboxing.  CF service will not start.  Roll back the security.xml (Sandbox not enabled), starts up fine.  Getting stuck on the same ODBC service processing place as mentioned above when checking the server.log.  Adding Charlie's jvm argument does not seem to work.  Any hope of getting this to work?  JVM version is 17.0.6 (one that comes with CF2023).

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 09, 2024 Mar 09, 2024

Copy link to clipboard

Copied

Ayera, since the arg has worked for others in cf2023, it seems we should double check first that your implementation of it is correct.

 

If you put this in a test page, does it output true?

<cfdump var="#server.system.properties["jdk.lang.Process.allowAmbiguousCommands"]#">

If that gets an error, the arg IS NOT set. You could try instead just this, which will let you see any such set args among the many results. 

<cfdump var="#server.system.propertie#">

 If you DO have it set, it seems we'd need to sort out how your sandbox config may differ from those that work. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 10, 2024 Mar 10, 2024

Copy link to clipboard

Copied

Thank you for your reply Charlie.  The first output does indeed return "true" and the allowAmbuousCommands does show in the server.system.properties dump:

jdk.lang.Process.allowAmbiguousCommandstrue

 

Clearing out the security.xml to a greenfield version (fresh from a CF2023 install, no sandboxes created in Sandbox security) and simply turning on Sandbox enabling DOES allow it to start, so you are correct that it was likley something in the config.  Adding a single sandbox (with no tag/function restrictions) worked. Slowly adding tag/function restrictions worked. Adding File/Dir restrictions one by one worked.  Unclear what was different in the sandbox config that was created all at once prior to enabling, but it is working now.  Thanks again for your suggestion.

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 10, 2024 Mar 10, 2024

Copy link to clipboard

Copied

LATEST

Glad to have helped. Did you perhaps save that xml file before "clearing it out"? It's possible that in comparing it with a working one, the difference may be informative--for others, Adobe, or indeed for you should it happen again.

 

If you're not able to compare them (xml is challenging enough: WDDX-formatted even more so), you could share them with me as I have an automated approach. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation