Updating Java on ColdFusion or Lucee
As a ColdFusion user you are probably aware that your CFML is compiled into Java byte code and executed by the Java Virtual Machine (JVM). Just like your Operating System or ColdFusion server needs to be patched for security issues, so does your JVM. Oracle typically releases a security patch for Java every quarter.
How do you know when Java Security Patches are released?
My HackMyCF service will send emails to customers when Oracle releases a new Java security patch with issues pertaining to server side java. HackMyCF can also continuously monitor the version of java that your CF server is actually using and let you know in your report that it needs to be updated.
Here is a video showing how to update Java on ColdFusion 2018:
Links from video:
What version of Java Should I be using?
- ColdFusion 2018 - Shipped with Java 10, supports Java 11 as of CF2018 Update 2. You should be running Java 11 with CF2018. Java 8 may work, however it is not officially supported.
- ColdFusion 2016 - Supports Java 11 (as of CF2016 Update 8) or Java 8.
- ColdFusion 11 - Supports Java 8 - Adobe did not state that Java 11 was supported on CF11 when they added support in CF2016 and CF2018.
- ColdFusion 10 - Supports Java 8 (as of Update 14)
- ColdFusion 9 and below - Java 8 may work, but certain features (eg web services) may throw exceptions. Since these versions of CF have been EOL for many years you don't need to worry about official support (it is all unsupported). Java 6 and 7 was the officially supported version for these releases.
- Lucee < 5.2.9 - Java 8
- Lucee > 5.2.9 - Java 11
From there you always want the latest update of the major version, so if your server should be running Java 11, you want the latest version of Java 11. Right now (as of March 2018) that is 11.0.2, but Oracle typically releases security updates each quarter.
Where should I download Java from?
If you are an Adobe ColdFusion customer you can download Oracle Java from Adobe's ColdFusion Downloads page. It may take them a few days to update this page when a new version comes out. If you don't want to wait or if you are running Lucee then you can use an OpenJDK based version such as:
How frequently should I update Java?
You should update whenever a security patch comes out for the version of java you are running (typically quarterly).
Should I be running Java 9 or Java 10?
No - Java 9 and Java 10 are non-LTS releases (LTS means long term support), this means they were stepping stones to get to a stable release... Java 11.
Further support from Oracle for Java 9 ended in March 2018, and support for Java 10 ended in September 2018.
What about Java 12, 13 or 14?
Java 12, 13 or 14 may work where Java 11 works, but none of them are a long term support (LTS) version like version 11 is. Java 12 and Java 13 are already unsupported (do not receive security patches).
What happens if I don't update Java?
Based on past experiences these are the things that end up happening when you stay on an old JVM:
- Vulnerable to Security Issues - here are a few past examples:
- Null byte file path vulnerability
- Floating point crash - due to a bug in floating point operations you could crash a server just by sending a specific number (if that number were to be used as a numeric in the code).
- Image Upload Crash - upload an image and process it with java image api's and it would crash the server.
- Your cacerts becomes out of date, so if a trusted certificate authority becomes compromised, or untrusted it would be removed from cacerts in the next java update. But if you do not update java you will still be trusting these certs.
- And many more
- Things like HTTPS start breaking - before you rush off to import certs into the keystore (that is a bad idea), know that updating the JVM will often fix https issues. Further changes to TLS protocols and supported ciphers can make a big difference in determining what servers you can connect to. For example many https servers have disabled TLS 1.0, 1.1 and require a minimum TLS version of 1.2. If you are running Java 6 it doesn't support TLS 1.2, java 7 doesn't support it by default.
Like this? Follow me ↯Tweet Follow @pfreitag
Updating Java on ColdFusion or Lucee was first published on March 21, 2019.
If you like reading about coldfusion, java, jvm, lucee, or oracle then you might also like:
- Getting Size of Heap and Non Heap Memory in CFML
- Adobe Says Go Ahead and Upgrade your ColdFusion JVM
- What's New in Java 7?
- OutOfMemoryError - GC overhead limit exceeded
- Cheat Sheet Roundup - Over 30 Cheatsheets for developers
- Travis CI Error when installing oraclejdk8
- Running CFML on AWS Lambda with FuseLess Slides
- Tomcat Java 10 on Windows CreateJavaVM Failed
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.