NOW LIVE! Adobe ColdFusion 2023 and 2021 October updates

Brian, this is an interesting discussion you raise. I hope folks will forgive/appreciate my blog-length reply and elaboration. 

First, while Adobe can and should answer your question, I suspect the change in fact may not apply to EITHER update. Instead, the verbiage on this point in the technote is talking about how the CF installer would work--and I have confirmed first that there are not new/refreshed installers released with this update. Adobe, do you agree? (I have downloaded the zip and gui installers, and compared them to those I got in July, and they are identical.) (As an update, 4 days later: Adobe modified this post on Oct 10 to indicate that in fact there WERE new CF installers that include these updates. I have confirmed they are indeed different from the previous installers. The rest of what I say in thie comment applies and remains unchanged)

As for whether the update may indeed make any change, it will be interesting to hear from anyone who may have installed CF a) with the production profile (rather than production+secure), and b) who may have had no value entered for "Allowed IP Addresses for accessing ColdFusion Administrator and ColdFusion Internal Directories" before the update: do they now see these localhost values entered for them? (For anyone interested, this setting is at the bottom of the "allowed ip addresses" page in the 'Security" section of the Admin.)

And lest casual readers misconstrue things, this is talking about the production vs developer PROFILE (an option in the installer has long had) rather than the prod vs dev DEPLOYMENT TYPE (which is a new option in the installer since CF2021, also offering values like test, stage, qa, and dr). The latter is tracked (once chosen) on the Licensing and Activation page of the CF Admin (and for now cannot be changed in the Admin, and there's a tracker ticket requesting that).

As for the security aspect of this change, I'll say I've always found it odd not only that the installer prompt discussed (in the technote) would be greyed out for ANY profile selected (even "developer"), as there's value (as you're getting to) for everyone to have the admin locked down to only localhost access (unless you choose to open it up). But I've wondered why it didn't pre-populate with these localhost ips discussed in the technote.

And yes, I realize that with the CF Admin exposed by default only on the built-in web server (which defaults to port 8500), that web server's port would be blocked by any firewall. But if other machines within the firewall/network have that port open, that doesn't mean that everyone who CAN access the port SHOULD be able to try to login to the CF Admin.

So in summary, I'd argue that a) an update should change any servers that have NO value for this field to have localhost ips (with a warning to people that if this change blocks them being able to access the admin, they can use the cfsetup tool--new in cf2021--to be able to modify that ip list). Then b) the installer prompt should also be pre-populated with those localhost ips regardless of profile, with the freedom for the installing user to add to or change that list of ips (if somehow they feel they must).  And an argument could be made that c) the admin (and installer) should NO longer allow there to be NO value entered for this allowed ip field, as that means it's open to anyone who can reach that built-in web server port.

If I have anything wrong here in any of the above, I welcome correction.

Brian or Adobe, any thought on my comment here from Oct 7 about the "allowed ip address" matter Brian raised?

For anyone following this comment thread, I will point out something that seems important.

Folks are starting to raise observations that there is a change related to what IPs can access the CF Admin--even WITHOUT a new install, and ALSO even on CF2021 after applying its update 11 from the same day.

Brian's original question was asking Adobe if it WAS limited to CF2023. They never answered. Then I observed how the CF2023 mention seemed to refer only to new installs (and even then only if using the Production profile).

It's starting to seem more than that. For anyone interested in the discussion, see another thread in the forums here were the issue was raised today. While I offered a comment there to start, I look forward to digging in more and sharing anything I learn, if others don't first.

If you trust the download file and want to allow execution anyway, there are instructions on how to bypass that check here - https://support.apple.com/guide/mac-help/apple-cant-check-app-for-malicious-software-mchleab3a043/ma...  

Mike, a few things on this.

First, let's clarify for folks following along that you're talking about an issue with the installation of CF2023 rather than this applying this update (as indicated by your words and the screenshot you offered). 

Second, on that, note that the release notes doc for CF2023 indicates (in its "Known issues" section) that:

"On macOS, before launching the ColdFusion installer, run "xattr -rc” command against the installer dmg.

Of course, anyone could miss that. Can you try that and see if it works for you?

That said, finally, note that both the CF2023 support matrix PDF and the CF2023 system requirements pages indicate that only MacOS 13 (Ventura) is supported, not 14 (Sonoma)--which did come out only last week (Sep 26). Adobe (like many vendors) has a historic record of not being ready to support a new OS version on the day of release, and indeed often not for months (or even as much as a year). 

So I'm saying that this xattr command MAY get the installer to work for you, and the install MAY run, but again it's not SUPPORTED. So if you encounter other issues, be aware that you are floating on a boat in a potentially stormy sea without the Coast Guard there to help--to stretch an anology. But again, all may go well.

Finally, if it does not go well and you want to elaborate on this, it may be more appropriate for you to open a new discussion in the CF Community forums as your issue seems not to be related to these October 2023 updates of CF, specifically. (If there was a new installer released with this update, that would be different. But there was not, I have confirmed. Update since my original reply: Adobe modified this post today to indicate that in fact there WERE new CF installers released today, Oct 10, which include the latest update. And I have confirmed today they are indeed different installers. Just updating this comment I'd made a few days ago, for the sake of clarity.)

As always, just trying to help.

Mike, any thoughts about my comment here from Oct 6 in reply to your questions about MacOS?

By the way, Mike, in case you didn't see my update to my reply to you from last week, there WERE new installers (for CF2021 and 2023) released earlier this week, so you may want to see if the new Mac installer works better for you. Don't forget to use that xattr -rc command if it doesn't work (but perhaps that's been resolved in the new installer. Again, see my first reply to you above.).

While we await confirmation from Adobe, I'll note that I'd indicated in earlier comments here (one just a minute before yours) that I'd not found there to be any new installers in my own checking. 

Here's great news (for some): while there were no new installers with original release of the update last week, Adobe has modified this post today to confirm that they HAVE released today new installers that DO include this latest update. I have checked them and confirmed today they are different than the previous ones (whereas on Friday I did NOT find the installers to be different.)

I just wanted to add this comment since Dave had raised the question that first day, and I shared what I found to be true then. It would be easy for many to miss the modification of this post to indicate there are in fact new installers. (Thankfully, Sauarav also offered it earlier today in a later comment thread here.)

Dave, have you tried the new installers?

Dave, this has happened with the earlier updates: in nearly all such cases, it was a caching issue. Not a BROWSER caching issue you can influence, but instead some caching between your machine (running cf) and the Adobe server(s) offering the updates. And it's about the xml feed used to offer these updates. 

You may find that within hours, suddenly the update appears. There's also that "check for updates" button on the admin updates page which you can click to try in hours to come. 

Finally, note that the technote offers a link for you to manually download the update (jar file) and offers instructions for applying it manually near the bottom of the technotes.

You may need to do that anyway with this update (the manual install)--if you have cf set to use Java 17.0.8 or greater for cf2023, or Java 11.0.20 for cf2021. In those cases, running the update in the admin will fail. Instead, we need to do the manual install of the update and add a new jvm arg--as mentioned at the TOP of each technote (in a box on only one of them, for now).

Let us know if that gets you sorted. 

Still no luck Charlie. Even their XML feed doesn't include it:
https://cfdownload.adobe.com/pub/adobe/coldfusion/xml/updates.xml

I've posted more here:
https://cfml.slack.com/archives/C06TABBT8/p1696815828338869?thread_ts=1696608048.915109&cid=C06TABBT...

No, it's there. Just not for you, for some reason. I not only see it today with that link you offered, but I had no problem (and know of many others) obtaining it Friday.

As you may know, the technote offers a link to the update (jar and/or bundle zip) to download, but I realize you may prefer to update via the admin instead. Here is the item element for update 5, which you could add manually (with care) to the xml file you can get now, and you can change the cf admin update page to point to that file. (Just don't forget to set it back to the default, once done):

<item>
<title>ColdFusion 2023 Update 5</title>
<description>ColdFusion (2023 release) Update 5 includes bug fixes and enhancements in Administrator, Migration, Package manager, Database, and other areas. The update contains upgrades to Tomcat (v9.0.78) and other libraries, such as, jackson-databind, Netty, and so on. Note that this update is cumulative and includes fixes from the previous updates. For details refer the Technote link. </description>
<cfhf_id>hf-2023-00005-330608</cfhf_id>
<cfhf_type>General</cfhf_type>
<cfhf_updatelevel>05</cfhf_updatelevel>
<cfhf_buildnumber>330608</cfhf_buildnumber>
<cfhf_technotelink>https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-5.html</cfhf_technotelink>
<cfhf_servers>
<cfhf_server version="2023,0,0">
<cfhf_downloadlink>https://cfdownload.adobe.com/pub/adobe/coldfusion/2023/updates/hotfix-005-330608.jar</cfhf_downloadlink>
<cfhf_filename>hotfix-005-330608.jar</cfhf_filename>
<cfhf_checksum>149975e2324eda2c9fb4c17506ba0fc6</cfhf_checksum>
<cfhf_installinput/>
</cfhf_server>
</cfhf_servers>
<pubDate>Friday, October 6, 2023</pubDate>
</item>

Dave, were you finally able to see and get the updates?

Thank you Charlie. I've made the changes.

Thanks, Saurav. You'll want to modify the post to point out how the Docker/container images are indeed now available at both dockerhub and ECR (since you mentioned that at the end of the post).

Added at the beginning of the blog. Thanks a lot Charlie!