UPDATE RELEASED: ColdFusion security updates 14 & 4 released for CF2021 & CF2018.

Hi Jeff,

Yes, you have to re-apply that patch. You can find that in the backup directory or you can copy that before you apply the hotfix from \ColdFusion2018\cfusion\lib\updates folder.

Hi, @Priyank Shrivastava. !

Is this going to be the standard approach for patches in the future? I'm not sure if the QoQ hotfix is intended for everyone or just people running into a given problem.

Dave Watts, Eidolon LLC

Hi Dave,

We will try to maintain the standard and separate the updates in the future as well. For the QoQ patch, this is only for the users who encountered the problem and not for those who never used it. 

However, if any user has applied any other private patch, they will have to re-apply that because it will move that patch from the Updates folder to backup directory,

Regarding the QoQ issue, is there any reason this fix still has to be re-done after every update and a permanent fix is not put into an official update?

Hi @jhansen-cf ,

You need to re-apply the patch after you apply the update 4 in your server. This security update does not have any other bug fixes. If you have already applied the QoQ patch and in case that is working. You are good to go.

@BKBK If you have installed CF as standalone then these flags are not required in jvm.config. These are only for J2EE deployment if you are using WebSphere, WebLogic, Tomcat, JBoss, etc.

I hope this answers your question.

Thanks, @Priyank Shrivastava. . Yes, you've answered my question.

Priyank, this is indeed a frequent source of confusion with folks. I see or hear it often. Could you guys revisit that paragraph (for this and all technotes) to add even just a sentence or two to explain things for folks on typical deployments, who are always left wondering (if not savvy tabout the j2ee distinction)? 

Hi Charlie, let me see what I can do about that. 

Any chance of a reply from Adobe?

They may have already provided that information in the thread.

Dave Watts, Eidolon LLC 

@raspin We did not make any changes that require the packages to be updated, hence there is no repository in update 4. If you have applied update 3, then you can directly install update 4 without any repository however, if it is update 2, then you have to download the packages for update 3, and then only you can apply update 4.

We have not refreshed the installers in this update. 

I hope this answers your question. 

The spaghetti instructions of your last post pretty much sum up the problem here. Why not just include everything that is needed for update 4 in update 4? We have hotfixes scripted so if you suddenly decide to change the method (by not including all that is needed in the latest hotfix) it just breaks the pattern. At the very least update your instructions, which still refer to "unzipping", where there is nothing to unzip in update 4.

In the absence of an updated packages file I have created one using the packages from update 3 and rearchived with update 4. It seems to update successfully according to CF's own reporting. This might seem trivial and unnecessary but with automated deployments consistency is vital. So, I would urge Adobe to release both versions of the update with each hotfix or otherwise mention this difference in the instructions, which are currently incorrect. In the unlikely event someone out there needs this packages file I would be happy to provide.

Hi Patrick,

Could you please try to start the ColdFusion from the command prompt and share the output here?

Open the command prompt as admin, navigate to \ColdFusion2018\cfusion\bin folder and run cfstart.bat and share the output.

As per the connector logs, it appears like binding is failing.  Try adding the IP address in server.xml and worker.properties and see if it helps.

Error:

[info] jk_open_socket::jk_connect.c (816): connect to 127.0.0.1:8018 failed (errno=61)

Add the IP address of the machine instead of localhost in worker.properties as shown below: 

Example: 

worker.cfusion.type=ajp13 
worker.cfusion.host=IP-address-of server 


Server.xml: Add "address" attribute in connector protocol with IP address as shown below: 

Example: 

    <Connector protocol="AJP/1.3" port="8020" address="IP-address-of server" redirectPort="8453" secret="xxxx-xxxxxx-xxxxx-xxxx-xxxx" maxThreads="500" connectionTimeout="60000" tomcatAuthentication="false"/> 

Restart both web server and CF and check if it helps. 

Thanks,

Vikram

Adding to Vikram's suggestions (which may alone get you going) , what cf2018 update had you been on before trying 14? That may suggest other considerations.

And since you're on Windows, when you ran the manual update from the command line, did you" run as admin"? Did you stop all the cf services (the update should do it, but you could for good measure). 

Finally, I would recommend also that you look at the cf update log. One will have been created for each install or uninstall, in the cfusion/hf-updates folder for that update. Look for the count of fatalerrors. For more, see a post I did:

"How to solve common problems with applying ColdFusion updates (in 10 and above)" https://www.carehart.org/blog/2016/9/6/solve_common_problems_with_CF_updates_in_10_and_above

Let us know if any of our suggestions help. 

Hi Vikram, Hi Charlie

Thank you very much for your valued replies!

Regarding the installation:
- update 13 is currently installed

- the update 14 intallation log showed no errors or warnings:

Installation: Successful.

3438 Successes
0 Warnings
0 NonFatalErrors
0 FatalErrors

- I ran it from command line with admin rights (CF + IIS services down)

I will try and check it again in 2 weeks (maintenance window), especially adding the ip address to the connector/server.xml. But I'm not sure if it's really a connector problem, because I can't access the internal webserver either. Maybe the prompt shows more information then.

Thanks for your help - I will report again 😉
Patrick

All great to hear. Yep, an update from 13 to 14 should be uneventful. And there should be no need of any connector update (it did not change with 14), nor should there be any NEED of a change to the server.xml (but Vikram's suggestion is still worth trying).

That said, how long had it been since you restarted the cf instance, BEFORE the update? I ask because your issue may not be with the update, but with some change made to cf or its config files (including that server.xml) that was made previously but would not take effect until a cf restart. It's worth checking.

And either way, you asked about a log for the internal web server. There's no separate one, as it starts up "within" cf (as it were). So look to the coldfusion-out.log and coldfusion-error.log, for the lines during cf startup (when you have this problem), to see what it may complain about. There may be an issue with some config file that might be obvious. Let us know if you see something but can't connect the dots.