Copy link to clipboard
Copied
I am trying to update our ColdFusion server from version 13 to 14, and then to 15. We are running pn Windows Server 2022 and using latest version of IIS. Whenever I try to update from the admin portal I get "There were errors in the previous install of this update.Please refer to the logs in the folder E:\bundles\updateinstallers\ and fix the root cause before re-applying the hotfix again."
The logs files show the following errors:
Moving files failed:
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Could not move the file ..\cfusion\lib\updates\chf20210013.jar to the backup location ..\cfusion\hf-updates\hf-2021-00014-330296\backup\lib\updates\chf20210013.jar
Failed to copy hotfix files:..Users\myUser\877626.tmp\dist\cfusion\..\bundles\bundlesdependency.json
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:..\cfusion\..\bundles\bundlesdependency.json
FATAL ERROR - ..\cfusion\..\bundles\bundlesdependency.json (Access is denied)
Failed to copy hotfix files:..\Users\myUser\877626.tmp\dist\cfusion\..\config\cfsetup\cfsetup.bat
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:..\cfusion\..\config\cfsetup\cfsetup.bat
FATAL ERROR - E:\cfusion\..\config\cfsetup\cfsetup.bat (Access is denied)
Failed to copy hotfix files:..\Users\myuser\877626.tmp\dist\cfusion\..\config\cfsetup\cfsetup.jar
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:..\cfusion\..\config\cfsetup\cfsetup.jar
FATAL ERROR - ..\cfusion\..\config\cfsetup\cfsetup.jar (Access is denied)
Failed to copy hotfix files:..\Users\myUser\877626.tmp\dist\cfusion\..\config\cfsetup\findjava.bat
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:..\cfusion\..\config\cfsetup\findjava.bat
FATAL ERROR - ..\cfusion\..\config\cfsetup\findjava.bat (Access is denied)
Failed to copy hotfix files:..\Users\myUsers\877626.tmp\dist\cfusion\..\config\cfsetup\log4j.properties
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:..\cfusion\..\config\cfsetup\log4j.properties
FATAL ERROR - ..\cfusion\..\config\cfsetup\log4j.properties (Access is denied)
Failed to copy hotfix files:..\Users\myUser\877626.tmp\dist\cfusion\..\config\cfsetup\proposedSettings.json
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:..\cfusion\..\config\cfsetup\proposedSettings.json
FATAL ERROR - ..\cfusion\..\config\cfsetup\proposedSettings.json (Access is denied)
Everything else shows sucessful but the server still shows version 13 is running. When I installed Coldfusion I ran the lockdown tool and updated the java version. I have made sure that the ColdFusion user account "myuser" has permissions to all of the paths shown and that all of the files exist. the all of the directories. I have also tried manually stopping the server and all related services, including IIS, and running the update jar as admin, but I keep getting the same errors.
Any help is greatly appreciated.
Thank you for the instructions. While this initially didn't work, I was looking int the unzipped repository and noticed this time around that some of the files in the path didn't exist. Step 3 of the manual update at https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-15.html says to:
Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
I
...Copy link to clipboard
Copied
On reading this I initially thought: a permissions issue. But you say that permissions have been taken care of. So let's assume for the moment that the cause is something other than permissions.
The "Access is denied" message can also mean that two separate processes are simultaneously trying to gain access to the file. Hence the following questions:
Copy link to clipboard
Copied
BKBK, I agree with your proposed root cause to Mark's problem: that it seems another process is locking the files in question. But I would propose a different solution. (I really doubt the explanation will be in possible differences regarding the jvm version, bitnesss, or provenance).
Instead, Mark, I'd propose you look at task manager very carefully the next time you're ready to try this. Having stopped cf and the related cf services, do there remain ANY processes with the name coldfusion.exe or java.exe? (Look in the DETAILS tab rather than PROCESSES, and sort the list by process/image name.) If any remain, stop them. If you can't tell how to stop them using their normal meams, right-click and use "end process" on them.
Now that you have NO processes called coldfusion.exe or java.exe, run the cf update again. (Running from the command line as admin would be wise, to rule out still other possible issues.)
Does this allow the update to run? If so, great. (There's more that could be said to better understand what we're those processes that you had to kill. Adding a new column to the task manager details tab to see the "command line" for the process could help, but I'll wait to see if you or anyone needs details on that.)
If this approach does not help, please confirm that also. There WILL be a solution. I've helped hundreds of people find and resolve what seemed insurmountable cf update challenges.
A couple other things in closing: you mentioned going to update 14 and then 15. As you mayknow they're cumulative, so there's no reason you MUST do them one at a time if you're going to do each right after the other (though some may still opt to regard each as its own checkpoint).
Also, beware an issue regarding update 15 and a need to reinstall several packages it removes by mistake. See the "known issue" at the top of its technote, or more in comments on my blog post about the update last month (carehart.org/blog). Then too I have posts on matters related to updates 14 and 13 (and their cf2023 counterparts).
Copy link to clipboard
Copied
@Charlie Arehart , Ignore the bit about bitness in my original message. It was a remnant of a previous idea, which I have now deleted. When Mark tells us the Java version, we will know its bitness.
Copy link to clipboard
Copied
Here is the information from my System Information page in the Administrator portal:
Server Details | |
Server Product | ColdFusion (2021 Release) |
Version | 2021.0.13.330296 |
Tomcat Version | 9.0.85.0 |
Edition | Standard |
Operating System | Windows Server 2022 |
OS Version | 10.0 |
Update Level | E:/cfusion/lib/updates/chf20210014.jar |
Adobe Driver Version | 5.1.4 (Build 0001) |
JVM Details | |
Java Version | 11.0.21 |
Java Vendor | Oracle Corporation |
Java Vendor URL | https://openjdk.java.net/ |
Java Home | ..\JavaCurrent |
Java File Encoding | Cp1252 |
Java Default Locale | en_US |
File Separator | \ |
Path Separator | ; |
Line Separator | Chr(13) |
User Name | myuser |
User Home | C:\Users\myUser |
User Dir | ..:\cfusion\bin |
Java VM Specification Version | 11 |
Java VM Specification Vendor | Oracle Corporation |
Java VM Specification Name | Java Virtual Machine Specification |
Java VM Version | 11.0.21+9-LTS-193 |
Java VM Vendor | Oracle Corporation |
Java VM Name | Java HotSpot(TM) 64-Bit Server VM |
Java Specification Version | 11 |
Java Specification Vendor | Oracle Corporation |
Java Specification Name | Java Platform API Specification |
Java Class Version | 55.0 |
I redacted some of the path information, but I verified all of the paths showing are correct. I can't recall if I downloaded LTS Java from the Adobe site. It's very possible that I downloaded a newer version for security concerns. The current Java version is in a directory named JavaCurrent, which is in the same path as the directory jre wich came in the coldfusion installation file. The version in the jre directory is 11.0.1.
I do not have any processes with coldfusion or java in there name. I checked for any processes that might be using the directory, but can't find any. This is being run on a virtual machine, if that is of any consideration. The last time I updated was when I did a fresh install on this system. I had orginally tried to do update 15, when it failed I reverted to a backup snapshot just in case it did any harm. I had also heard about the issues with update 15 and wanted to rule that out as a factor in all this. I also confirmed the snapshot was good before starting with update 14. The configurations I have made to the server since the last time I updated are following the coldfusion-2021-lockdown-guide, updating the java version, and did the following IIS hardening:
1. Basic Configurations 1.1. Ensure web content is on non-system partition 1.2. Ensure 'host headers' are on all sites 1.3. Ensure 'directory browsing' is set to disabled 1.4. Ensure 'Application pool identity' is configured for all application pools 1.5. Ensure 'unique application pools' is set for sites 1.6. Ensure 'application pool identity' is configured for anonymous user identity 1.7. Ensure WebDav feature is disabled |
2. Configure Authentication and Authorization 2.1. Ensure 'global authorization rule' is set to restrict access 2.2. Ensure access to sensitive site features is restricted to authenticated principals only 2.3. Ensure 'forms authentication' requires SSL 2.4. Ensure 'forms authentication' is set to use cookies 2.5. Ensure 'cookie protection mode' is configured for forms authentication 2.6. Ensure transport layer security for 'basic authentication' is configured 2.7. Ensure 'passwordFormat' is not set to clear 2.8. Ensure 'credentials' are not stored in configuration files |
3. ASP.NET Configuration Recommendations 3.1. Ensure 'deployment method retail' is set 3.2. Ensure 'debug' is turned off 3.3. Ensure custom error messages are not off 3.4. Ensure IIS HTTP detailed errors are hidden from displaying remotely 3.5. Ensure ASP.NET stack tracing is not enabled 3.6. Ensure 'httpcookie' mode is configured for session state 3.7. Ensure 'cookies' are set with HttpOnly attribute 3.8. Ensure 'MachineKey validation method - .Net 3.5' is configured 3.9. Ensure 'MachineKey validation method - .Net 4.5' is configured 3.10. Ensure global .NET trust level is configured 3.11. Ensure X-Powered-By Header is removed 3.12. Ensure Server Header is removed |
4. Request Filtering and other Restriction Modules 4.1. Ensure 'maxAllowedContentLength' is configured 4.2. Ensure 'maxURL request filter' is configured 4.3. Ensure 'MaxQueryString request filter' is configured 4.4. Ensure non-ASCII characters in URLs are not allowed 4.5. Ensure Double-Encoded requests will be rejected 4.6. Ensure 'HTTP Trace Method' is disabled 4.7. Ensure Unlisted File Extensions are not allowed 4.8. Ensure Handler is not granted Write and Script/Execute 4.9. Ensure ‘notListedIsapisAllowed’ is set to false 4.10. Ensure ‘notListedCgisAllowed’ is set to false 4.11. Ensure ‘Dynamic IP Address Restrictions’ is enabled |
5. IIS Logging Recommendations 5.1. Ensure Default IIS web log location is moved 5.2. Ensure Advanced IIS logging is enabled 5.3. Ensure ‘ETW Logging’ is enabled |
6. FTP Requests 6.1. Ensure FTP requests are encrypted 6.2. Ensure FTP Logon attempt restrictions is enabled |
7. Transport Encryption 7.1. Ensure HSTS Header is set 7.2. Ensure SSLv2 is Disabled 7.3. Ensure SSLv3 is Disabled 7.4. Ensure TLS 1.0 is Disabled 7.5. Ensure TLS 1.1 is Disabled 7.6. Ensure TLS 1.2 is Enabled 7.7. Ensure NULL Cipher Suites is Disabled 7.8. Ensure DES Cipher Suites is Disabled 7.9. Ensure RC4 Cipher Suites is Disabled 7.10. Ensure AES 128/128 Cipher Suite is Disabled 7.11. Ensure AES 256/256 Cipher Suite is Enabled 7.12. Ensure TLS Cipher Suite Ordering is Configured |
Table 1.2 provides a high level overview of the OWASP benchmarks
Table 1.2: OWASP IIS 10 Security Configuration Controls
1.1 Basic Configuration 1.1.1 Disable directoryBrowsing 1.1.2 Avoid wildcard host headers 1.1.3 Ensure applicationPoolIdentity is configured for all application ppols 1.1.4 Use an unique applicationPool per site 1.1.5 Disable IIS detailed error page from displaying remotely |
1.2 Request Filtering 1.2.1 Configure maxAllowedContentLength 1.2.2 Configure maxURL request filter 1.2.3 Configure maxQueryString request filter 1.2.4 Reject non-ASCII characters in URLs 1.2.5 Reject double-encoded requests 1.2.6 Disable HTTP trace requests 1.2.7 Disallow unlisted file extensions 1.2.8 Enable Dynamic IP Address Restrictions |
1.3 Transport Encryption 1.3.1 SSL/TLS settings are controlled at the SChannel level. They are set machine wide and IIS respects these values 1.3.2 A list of recommendations for IIS 1.3.2.1 Disable SSL v2/v3 1.3.2.2 Disable TLS 1.0 1.3.2.3 Disable TLS 1.1 1.3.2.4 Ensure TLS 1.2 is enabled 1.3.2.5 Disable weak cipher suites (NULL cipher suites, DES cipher suites, RC4 cipher suites, Triple DES, etc) 1.3.2.6 Ensure TLS cipher suites are correctly ordered |
1.4 HSTS support 1.4.1 IIS recently (Windows Server 1709+) added turnkey support for HSTS |
1.5 CORS support 1.5.1 Implement OWASP IIS CORS configuration module if your application does not natively handle CORS. |
I have run the update from the command line as admin and get the same errors. I went ahead and gave my ColdFusion user (myUser) full control over the entire drive whe it is installed and still get the same result.
Thank you for providing me help with this.
Copy link to clipboard
Copied
Hi @Mark33214390u893 ,
The table shows that, although the update level is chf20210014.jar, the ColdFusion installation is still at the level of Update 13 (Version = 2021.0.13.330296). In other words, the attempt at Update 14 failed.
You could try doing Update 14 again, manually.
See the suggestions on manually updating to CF2021 Update 13 that I gave a fellow developer some months ago.
Copy link to clipboard
Copied
Thank you for the instructions. While this initially didn't work, I was looking int the unzipped repository and noticed this time around that some of the files in the path didn't exist. Step 3 of the manual update at https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-15.html says to:
Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
I noticed I didn't have a bundlesdependency.json in the location after using the extract option in Windows Sever 2022 to unzip the repository. After comparing with our repository directory for version 13, I also noticed other files were missing as well. I think there is an issue with the unzipping process, specifically the built in function in our Window Server. I intead used 7zip and the files are all now there, which leaves me to believe that "Access Denied" might actually mean "File or folder not found". I just tried manually again and it worked! I will be testing to make sure, but I think this solved it. Thanks everyone for you help!
Copy link to clipboard
Copied
I am glad to hear that you finally managed to install the update. Thanks for sharing your experience and solution.