Have installed ColdFusion 2021 with update 1, on 64-bit Windows server 2019 Datacenter. I can either run it with Java 11.0.11 from Adobe, or with sandbox security (with Java 11.0.1), but the ColdFusion Application Service will not start if I have both Java 11.0.11 and sandbox security.
Copy link to clipboard
Let me try this.
I can reproduce the issue at my end. When I ran it from command line, it is getting stuck at sqlserver. Let me log a bug for this and find out if there is a workaround to it.
I have logged a bug for this issue and raise it to the development team. As soon as I hear from them, I will update the thread. In the meantime, you can use jdk11.0.10 or lower.
Thanks for looking into this, confirming the issue, and logging the bug. I wish that I could run a lower version of Java, but my organization has strict security monitoring, and if my server was running a lower version of Java than the most current, they would consider my server to be in violation. I will, however, ask if they would grant an exception until this bug is fixed or a workaround is found.
Copy link to clipboard
Hi, guys. I can offer a workaround for now. (I've confirmed experiencing the same issue, that CF won't start if running Java 11.0.11 with CF Sandbox Security enabled.) The workaround is to add this JVM argument to the CF startup args (in CF's jvm.config or the java args in the CF Admin), and then restart CF):
As for what led me to even consider that, you can see it's new for Java 11.0.11 specifically, and it's purpose discussed briefly as one of the "other notes" in the release notes for Java 11.0.11. You'll see also that it's specific to when a Java "security manager" is enabled.
When we enable the CF Sandbox Security feature, we are indeed causing CF to enable that java security manager, which CF configures for us.
As for why the arg to "allowAmbiguousCommands" is needed with CF, we will likely need to leave that with Priyank and the team to sort out. Perhaps there's something that CF startup code is doing that trips over the problem, which this change fixes, but which ultimately they can correct so the arg is no longer needed.
As for looking into the issue further, I'll note a couple other things:
But while we await Adobe resolving the root cause, this workaround will at least allow you to run 11.0.11 while also using the Security Manager. I'd love to hear from either of you if you confirm this and/or find any issues I have not.
I tried the argument which you shared and indeed it worked so Thank you for that. I wanted to show Michael, that is getting stuck at some point. My intention was not to point to a particular package. Before I responded to the above thread and opened a bug, I tried this in 2 different machines and it was getting stuck in different packages or loading another module. So it was clear to me that it is not the package but something else is causing the issue. I did not mention this in the bug that I opened internally.
Great to hear.
And while you say here, "My intention was not to point to a particular package", it was simply because you had said, "it is getting stuck at sql server" that I commented on that at all. 🙂 But thanks for the clarification.
Finally, I hope we hear from Michael confirming it works for him, and then we'll await word from you on if the team may find what was amiss.
After adding that argument, the ColdFusion Application service starts up without any problems, and it is running Java 11.0.11 and SandBox Security is enabled.
We have fixed the issue, it was something related to ODBC. If you would like, I can share the patch with you.
That would be great if you could share that patch.
Since I last posted that CF2021 was working with Java 11.0.11 with the Java argumen -Djdk.lang.Process.allowAmbiguousCommands=true, things have changed. With that setup, I could not run the CF Lockdown program, as it said this version of Cold Fusion is not supported. I was working on manually setting CF to be secure, but at some point the submenus which appear at the top of each CD admin screen disappeared. I uninstalled and reinstalled CF2021, moved to Java 11.0.10 and the Java argument, and was able to run the lockdown program. After enabling sandbox security, the CF app service would not start. Changing to Java 11.0.10 did not help, so I uninstalled CF 2021. I have been unable to uninstall the CF lockdown program.
Is there a way to uninstall the CF lockdown application? Is anyone else experiencing problems like this? Would I have a more stable environment if I was using CF2018? If the CF lockdown application can't be uninstalled, I think the OS will need to be reinstalled on a clean server.
Let me engage someone from my team to help you with the initial setup with CF2021. Please check your DM.
My ColdFusion 2021, update 1 and the special patch for recent Java versions, was running with Java 11.0.12 and sandbox security. After running update 2, I can once again either have Java 11.0.12 or sandbox security, but not both. Is it possible that update 2 wiped out the benefit of the special Java patch and that update 2 on its own does not support Java 11.0.12?
Michael, whatever became of your concern about this jvm arg and 11.0.12 (and sandbox security), with regard to CF2021 update 2? Does that remain? And what about the autolockdown tool issue you raised? Also, Michael, had you tried 11.0.13, which had come out last week?
And Priyank, did you ever confirm what he was reporting? Was it resolved?
I was advised by Adobe that the fix for using later versions of Java (11.0.11, 11.0.12) needs to be copied into the appropriate directorry after every CF update, as each update removes all other fixes from the directory. I have not tried turning on sandbox security again due to time and priority constraints, and have not tried Java 11.0.13 yet.
Michael, just to be clear, the sandbox security fix was a JVM arg I proposed originally here. And those settings are NOT lost between updates. (What you say is true of any special hotfixes, such as the recent one for query of query issues in the September CF updates).
Anyway, I hear you saying you're busy, so I'll leave this as much for other readers to consider in the meantime.
The sandbox security fix was a jar file which they sent to me.
[ Following Charlie's comment, I have deleted this post, to avoid any misunderstanding. ]
Hey, BKBK, since some folks may fail to notice that your comment here ("pls ignore") is from July 31, and they could misinterpret what it is you're proposing they "ignore", can you clarify that that was referring to? It's just that I don't see any other comment of yours, in this thread.
FWIW, I've been seeing this same problem upgrading from CF2018 to CF2023. We've used Sanboxing for years but as soon as we turn it on with CF2023, the instances won't startup. The jvm argument Charlie recommended seems to resolve the problem (-Djdk.lang.Process.allowAmbiguousCommands=true).
Not sure anyone will see this old message but if there's a better resolution for CF2023, would be great to hear.