Updating Java on ColdFusion or Lucee
As a ColdFusion user you are probably aware that your CFML is compiled into Java byte code and executed by the Java Virtual Machine (JVM). Just like your Operating System or ColdFusion server needs to be patched for security issues, so does your JVM. Oracle typically releases a security patch for Java every quarter.
How do you know when Java Security Patches are released?
My HackMyCF service will send emails to customers when Oracle releases a new Java security patch with issues pertaining to server side java. HackMyCF can also continuously monitor the version of java that your CF server is actually using and let you know in your report that it needs to be updated.
Here is a video showing how to update Java on ColdFusion 2018:
Links from the video:
What version of Java Should I be using?
- ColdFusion 2018 - Shipped with Java 10, supports Java 11 as of CF2018 Update 2. You should be running Java 11 with CF2018. Java 8 may work, however it is not officially supported.
- ColdFusion 2016 - Supports Java 11 (as of CF2016 Update 8) or Java 8.
- ColdFusion 11 - Supports Java 8 - Adobe did not state that Java 11 was supported on CF11 when they added support in CF2016 and CF2018.
- ColdFusion 10 - Supports Java 8 (as of Update 14)
- ColdFusion 9 and below - Java 8 may work, but certain features (eg web services) may throw exceptions. Since these versions of CF have been EOL for many years you don't need to worry about official support (it is all unsupported). Java 6 and 7 was the officially supported version for these releases.
- Lucee < 5.2.9 - Java 8
- Lucee > 5.2.9 - Java 11
From there you always want the latest update of the major version, so if your server should be running Java 11, you want the latest version of Java 11. Right now (as of March 2018) that is 11.0.2, but Oracle typically releases security updates each quarter.
Where should I download Java from?
If you are an Adobe ColdFusion customer you can download Oracle Java from Adobe's ColdFusion Downloads page. It may take them a few days to update this page when a new version comes out. If you don't want to wait or if you are running Lucee then you can use an OpenJDK based version such as:
How frequently should I update Java?
You should update whenever a security patch comes out for the version of java you are running (typically quarterly).
Should I be running Java 9 or Java 10?
No - Java 9 and Java 10 are non-LTS releases (LTS means long term support), this means they were stepping stones to get to a stable release... Java 11.
Further support from Oracle for Java 9 ended in March 2018, and support for Java 10 ended in September 2018.
What about Java 12, 13, 14 or 15?
Java 12, 13, 14 or 15 may work where Java 11 works, but none of them are a long term support (LTS) version like version 11 is. Java 12, Java 13 and Java 14 are already unsupported (do not receive security patches).
You can read more about Java LTS and non LTS releases here or see the oracle support roadmap for more info.
What happens if I don't update Java?
Based on past experiences these are the things that end up happening when you stay on an old JVM:
- Vulnerable to Security Issues - here are a few past examples:
- Null byte file path vulnerability
- Floating point crash - due to a bug in floating point operations you could crash a server just by sending a specific number (if that number were to be used as a numeric in the code).
- Image Upload Crash - upload an image and process it with java image api's and it would crash the server.
- Your cacerts becomes out of date, so if a trusted certificate authority becomes compromised, or untrusted it would be removed from cacerts in the next java update. But if you do not update java you will still be trusting these certs.
- And many more
- Things like HTTPS start breaking - before you rush off to import certs into the keystore (that is a bad idea), know that updating the JVM will often fix https issues. Further changes to TLS protocols and supported ciphers can make a big difference in determining what servers you can connect to. For example many https servers have disabled TLS 1.0, 1.1 and require a minimum TLS version of 1.2. If you are running Java 6 it doesn't support TLS 1.2, java 7 doesn't support it by default.
Like this? Follow me ↯
Tweet Follow @pfreitagUpdating Java on ColdFusion or Lucee was first published on March 21, 2019.
If you like reading about coldfusion, java, jvm, lucee, or oracle then you might also like:
- Getting Size of Heap and Non Heap Memory in CFML
- Adobe Says Go Ahead and Upgrade your ColdFusion JVM
- What's New in Java 7?
- OutOfMemoryError - GC overhead limit exceeded
- Cheat Sheet Roundup - Over 30 Cheatsheets for developers
- Is maxlength necessary in cfqueryparam with timestamps?
- Java LTS Version Roadmap and Guide
- Travis CI Error when installing oraclejdk8
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.
Comments
Server Product: ColdFusion 2016
Version: 2016.0.16.320445
Java Version: 11.0.8
As always, just trying to help.
BTW FuseGuard doesn't modify the request at all, it will only log or block the request. I've found that things that try to modify the request always end up frustrating the developer (like we just found here).
This raises a topic that may be of interest, for those who may use that feature: is there anything one can do to whitelist a page like this, where you wouldn't want it causing this trouble. Do you know? Or does anyone? :-) This is definitely off=topic for this post. If you may want to create a new one on it, I'm sure some people would find it interesting.
If it's that you have other priorities so can't now, that's understandable. I only ask both as it may help others (if it works or not) and most important it would help you, if you ever edit another blog post that has code that would get stripped/protected, if you forgot to turn it off globally then also. :-)
One tweak you should consider: cf2018 now ships with Java 11. It's true that the original installer did ship originally with Java 10 (and can be updated to Java 11 after update 2), the installer was refreshed as of February 12 2019 when update 2 shipped. So some people will find they are indeed running on Java 11 already. :-)