ColdFusion 2021 conflict between Sandbox Security and Java 11.0.11

Thanks!

Hi Michael,

I can reproduce the issue at my end. When I ran it from command line, it is getting stuck at sqlserver. Let me log a bug for this and find out if there is a workaround to it.

I have logged a bug for this issue and raise it to the development team. As soon as I hear from them, I will update the thread. In the meantime, you can use jdk11.0.10 or lower. 

Thanks for looking into this, confirming the issue, and logging the bug.  I wish that I could run a lower version of Java, but my organization has strict security monitoring, and if my server was running a lower version of Java than the most current, they would consider my server to be in violation.  I will, however, ask if they would grant an exception until this bug is fixed or a workaround is found.

Thanks again!

Hi Charlie,

I tried the argument which you shared and indeed it worked so Thank you for that. I wanted to show Michael, that is getting stuck at some point. My intention was not to point to a particular package. Before I responded to the above thread and opened a bug, I tried this in 2 different machines and it was getting stuck in different packages or loading another module. So it was clear to me that it is not the package but something else is causing the issue. I did not mention this in the bug that I opened internally. 

Great to hear.

And while you say here, "My intention was not to point to a particular package", it was simply because you had said, "it is getting stuck at sql server" that I commented on that at all. 🙂 But thanks for the clarification.

Finally, I hope we hear from Michael confirming it works for him, and then we'll await word from you on if the team may find what was amiss. 

Thanks!

After adding that argument, the ColdFusion Application service starts up without any problems, and it is running Java 11.0.11 and SandBox Security is enabled.

Mike

Hi Michael,

We have fixed the issue, it was something related to ODBC. If you would like, I can share the patch with you. 

Hi Priyank,

That would be great if you could share that patch.

Since I last posted that CF2021 was working with Java 11.0.11 with the Java argumen -Djdk.lang.Process.allowAmbiguousCommands=true, things have changed. With that setup, I could not run the CF Lockdown program, as it said this version of Cold Fusion is not supported. I was working on manually setting CF to be secure, but at some point the submenus which appear at the top of each CD admin screen disappeared.  I uninstalled and reinstalled CF2021, moved to Java 11.0.10 and the Java argument, and was able to run the lockdown program.  After enabling sandbox security, the CF app service would not start.  Changing to Java 11.0.10 did not help, so I uninstalled CF 2021. I have been unable to uninstall the CF lockdown program.

Is there a way to uninstall the CF lockdown application?  Is anyone else experiencing problems like this?  Would I have a more stable environment if I was using CF2018?  If the CF lockdown application can't be uninstalled, I think the OS will need to be reinstalled on a clean server.

Hi Michael,

Let me engage someone from my team to help you with the initial setup with CF2021. Please check your DM.

Hi,

My ColdFusion 2021, update 1 and the special patch for recent Java versions, was running with Java 11.0.12 and sandbox security.  After running update 2, I can once again either have Java 11.0.12 or sandbox security, but not both.  Is it possible that update 2 wiped out the benefit of the special Java patch and that update 2 on its own does not support Java 11.0.12?

Thanks,

Mike

Michael, whatever became of your concern about this jvm arg and 11.0.12 (and sandbox security), with regard to CF2021 update 2? Does that remain? And what about the autolockdown tool issue you raised? Also, Michael, had you tried 11.0.13, which had come out last week? 

And Priyank, did you ever confirm what he was reporting? Was it resolved? 

Thanks.

I was advised by Adobe that the fix for using later versions of Java (11.0.11, 11.0.12) needs to be copied into the appropriate directorry after every CF update, as each update removes all other fixes from the directory.  I have not tried turning on sandbox security again due to time and priority constraints, and have not tried Java 11.0.13 yet.

Michael, just to be clear, the sandbox security fix was a JVM arg I proposed originally here. And those settings are NOT lost between updates. (What you say is true of any special hotfixes, such as the recent one for query of query issues in the September CF updates).

Anyway, I hear you saying you're busy, so I'll leave this as much for other readers to consider in the meantime. 

The sandbox security fix was a jar file which they sent to me.

[ Following Charlie's comment, I have deleted this post, to avoid any misunderstanding. ]

Hey, BKBK, since some folks may fail to notice that your comment here ("pls ignore") is from July 31, and they could misinterpret what it is you're proposing they "ignore", can you clarify that that was referring to? It's just that I don't see any other comment of yours, in this thread. (I see he later revised his message to better clarify that he'd first written a note then wrote that "ignore" over it, and then finally revising it to what shows above now.) 

FWIW, I've been seeing this same problem upgrading from CF2018 to CF2023. We've used Sanboxing for years but as soon as we turn it on with CF2023, the instances won't startup. The jvm argument Charlie recommended seems to resolve the problem (-Djdk.lang.Process.allowAmbiguousCommands=true).

Not sure anyone will see this old message but if there's a better resolution for CF2023, would be great to hear.

Thanks Charlie,

Ken Wilson

We are experiencing this same issue on fresh CF2023 installs when attempting to enable Security Sandboxing.  CF service will not start.  Roll back the security.xml (Sandbox not enabled), starts up fine.  Getting stuck on the same ODBC service processing place as mentioned above when checking the server.log.  Adding Charlie's jvm argument does not seem to work.  Any hope of getting this to work?  JVM version is 17.0.6 (one that comes with CF2023).

Ayera, since the arg has worked for others in cf2023, it seems we should double check first that your implementation of it is correct.

If you put this in a test page, does it output true?

<cfdump var="#server.system.properties["jdk.lang.Process.allowAmbiguousCommands"]#">

If that gets an error, the arg IS NOT set. You could try instead just this, which will let you see any such set args among the many results. 

<cfdump var="#server.system.propertie#">

 If you DO have it set, it seems we'd need to sort out how your sandbox config may differ from those that work. 

Thank you for your reply Charlie.  The first output does indeed return "true" and the allowAmbuousCommands does show in the server.system.properties dump:

Clearing out the security.xml to a greenfield version (fresh from a CF2023 install, no sandboxes created in Sandbox security) and simply turning on Sandbox enabling DOES allow it to start, so you are correct that it was likley something in the config.  Adding a single sandbox (with no tag/function restrictions) worked. Slowly adding tag/function restrictions worked. Adding File/Dir restrictions one by one worked.  Unclear what was different in the sandbox config that was created all at once prior to enabling, but it is working now.  Thanks again for your suggestion.

Glad to have helped. Did you perhaps save that xml file before "clearing it out"? It's possible that in comparing it with a working one, the difference may be informative--for others, Adobe, or indeed for you should it happen again.

If you're not able to compare them (xml is challenging enough: WDDX-formatted even more so), you could share them with me as I have an automated approach.