Pete Freitag Pete Freitag

Updating Java on ColdFusion or Lucee

Updated: January 26, 2021
coldfusion

As a ColdFusion user you are probably aware that your CFML is compiled into Java byte code and executed by the Java Virtual Machine (JVM). Just like your Operating System or ColdFusion server needs to be patched for security issues, so does your JVM. Oracle typically releases a security patch for Java every quarter.

How do you know when Java Security Patches are released?

My HackMyCF service will send emails to customers when Oracle releases a new Java security patch with issues pertaining to server side java. HackMyCF can also continuously monitor the version of java that your CF server is actually using and let you know in your report that it needs to be updated.

Here is a video showing how to update Java on ColdFusion 2018:

Links from the video:

What version of Java Should I be using?

  • ColdFusion 2018 - Shipped with Java 10, supports Java 11 as of CF2018 Update 2. You should be running Java 11 with CF2018. Java 8 may work, however it is not officially supported.
  • ColdFusion 2016 - Supports Java 11 (as of CF2016 Update 8) or Java 8.
  • ColdFusion 11 - Supports Java 8 - Adobe did not state that Java 11 was supported on CF11 when they added support in CF2016 and CF2018.
  • ColdFusion 10 - Supports Java 8 (as of Update 14)
  • ColdFusion 9 and below - Java 8 may work, but certain features (eg web services) may throw exceptions. Since these versions of CF have been EOL for many years you don't need to worry about official support (it is all unsupported). Java 6 and 7 was the officially supported version for these releases.
  • Lucee < 5.2.9 - Java 8
  • Lucee > 5.2.9 - Java 11

From there you always want the latest update of the major version, so if your server should be running Java 11, you want the latest version of Java 11. Right now (as of March 2018) that is 11.0.2, but Oracle typically releases security updates each quarter.

Where should I download Java from?

If you are an Adobe ColdFusion customer you can download Oracle Java from Adobe's ColdFusion Downloads page. It may take them a few days to update this page when a new version comes out. If you don't want to wait or if you are running Lucee then you can use an OpenJDK based version such as:

How frequently should I update Java?

You should update whenever a security patch comes out for the version of java you are running (typically quarterly).

Should I be running Java 9 or Java 10?

No - Java 9 and Java 10 are non-LTS releases (LTS means long term support), this means they were stepping stones to get to a stable release... Java 11.

Further support from Oracle for Java 9 ended in March 2018, and support for Java 10 ended in September 2018.

What about Java 12, 13, 14 or 15?

Java 12, 13, 14 or 15 may work where Java 11 works, but none of them are a long term support (LTS) version like version 11 is. Java 12, Java 13 and Java 14 are already unsupported (do not receive security patches).

You can read more about Java LTS and non LTS releases here or see the oracle support roadmap for more info.

What happens if I don't update Java?

Based on past experiences these are the things that end up happening when you stay on an old JVM:

  • Vulnerable to Security Issues - here are a few past examples:
    • Null byte file path vulnerability
    • Floating point crash - due to a bug in floating point operations you could crash a server just by sending a specific number (if that number were to be used as a numeric in the code).
    • Image Upload Crash - upload an image and process it with java image api's and it would crash the server.
    • Your cacerts becomes out of date, so if a trusted certificate authority becomes compromised, or untrusted it would be removed from cacerts in the next java update. But if you do not update java you will still be trusting these certs.
    • And many more
  • Things like HTTPS start breaking - before you rush off to import certs into the keystore (that is a bad idea), know that updating the JVM will often fix https issues. Further changes to TLS protocols and supported ciphers can make a big difference in determining what servers you can connect to. For example many https servers have disabled TLS 1.0, 1.1 and require a minimum TLS version of 1.2. If you are running Java 6 it doesn't support TLS 1.2, java 7 doesn't support it by default.

Like this? Follow me ↯


Updating Java on ColdFusion or Lucee was first published on March 21, 2019.

If you like reading about coldfusion, java, jvm, lucee, or oracle then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

Comments

Good stuff there, Pete. Thanks. I was thinking of doing a post just like this recently, with all the changes.

One tweak you should consider: cf2018 now ships with Java 11. It's true that the original installer did ship originally with Java 10 (and can be updated to Java 11 after update 2), the installer was refreshed as of February 12 2019 when update 2 shipped. So some people will find they are indeed running on Java 11 already. :-)
by Charlie Arehart on 04/05/2019 at 2:56:34 AM UTC
I tried updating the jetty.lax file to reference the version of Java I just updated to, but SOLR will not create collections after doing so. Message is: Error when creating SOLR collections: An error occurred while creating the collection: org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException.

Server Product: ColdFusion 2016
Version: 2016.0.16.320445
Java Version: 11.0.8
by Christopher Simmons on 08/10/2020 at 12:35:06 PM UTC
@Christopher - That's interesting, I have not seen that. Did you upgrade jetty from java 8 to java 11? May need to stick with Java 8 for jetty.
by Pete Freitag on 09/10/2020 at 7:47:16 PM UTC
Hey, Pete, the video you had embedded is not being shown (not the preview, not even the link). If we do a view source, we can see that something on your end (perhaps fuseguard?) changed the tag (perhaps embed?) to "invalidtag". If you correct that, you can delete this comment. One other thought would be to offer a link to the video, so that if ever the tag to preview the video ever fails, folks can still see the link to the video.

As always, just trying to help.
by charlie arehart on 01/25/2021 at 10:24:26 PM UTC
Thank Charlie - I must have updated the blog entry and I had script protect enabled, which replaced the iframe with invalidtag.

BTW FuseGuard doesn't modify the request at all, it will only log or block the request. I've found that things that try to modify the request always end up frustrating the developer (like we just found here).
by Pete Freitag on 01/26/2021 at 2:54:01 PM UTC
Great point, and glad to hear it, as well as that you fixed this.

This raises a topic that may be of interest, for those who may use that feature: is there anything one can do to whitelist a page like this, where you wouldn't want it causing this trouble. Do you know? Or does anyone? :-) This is definitely off=topic for this post. If you may want to create a new one on it, I'm sure some people would find it interesting.
by charlie arehart on 01/26/2021 at 5:55:40 PM UTC
Good question Charlie, I've never tried it but I think you could probably do it in Application.cfc with the this.scriptProtect variable, conditionally set it to none for certain pages or URIs.
by Pete Freitag on 01/29/2021 at 4:27:57 PM UTC
Yep, that seems reasonable. I'm just curious: since it happened to you on this page, when you edited this post to correct that mistaken "protection" that was done, had you just turned off the scriptprotect entirely for your blog app? Might you consider trying that approach of doing it on a conditional basis, for your blog edit URL?

If it's that you have other priorities so can't now, that's understandable. I only ask both as it may help others (if it works or not) and most important it would help you, if you ever edit another blog post that has code that would get stripped/protected, if you forgot to turn it off globally then also. :-)
by charlie arehart on 01/29/2021 at 4:49:05 PM UTC
Interestingly enough Charlie - google led me here due to a scriptprotect issue just some days after you posted this. I ran into the invalidtag issue on a new lucee install and decided to tackle differently than in the past, so left it on in administrator, and instead added <cfset this.scriptProtect="url,cookie,cgi"> to application.cfc for a password protected admin area, basically letting through submitted forms as long as the users are logged in. As it's used for a CMS type solution where videos are increasingly being embedded, I'm kind of stuck with this for now. But I think this is an acceptable compromise. I could lock it down even further based on URL, but gets complicated quickly.
by Sam Daams on 02/03/2021 at 3:30:43 PM UTC
Good to hear, Sam. Thanks for the update.
by charlie arehart on 02/03/2021 at 5:58:16 PM UTC

Post a Comment