Pete Freitag Pete Freitag

Updating Java on ColdFusion or Lucee

Updated: December 08, 2020

As a ColdFusion user you are probably aware that your CFML is compiled into Java byte code and executed by the Java Virtual Machine (JVM). Just like your Operating System or ColdFusion server needs to be patched for security issues, so does your JVM. Oracle typically releases a security patch for Java every quarter.

How do you know when Java Security Patches are released?

My HackMyCF service will send emails to customers when Oracle releases a new Java security patch with issues pertaining to server side java. HackMyCF can also continuously monitor the version of java that your CF server is actually using and let you know in your report that it needs to be updated.

Here is a video showing how to update Java on ColdFusion 2018:

Links from video:

What version of Java Should I be using?

  • ColdFusion 2018 - Shipped with Java 10, supports Java 11 as of CF2018 Update 2. You should be running Java 11 with CF2018. Java 8 may work, however it is not officially supported.
  • ColdFusion 2016 - Supports Java 11 (as of CF2016 Update 8) or Java 8.
  • ColdFusion 11 - Supports Java 8 - Adobe did not state that Java 11 was supported on CF11 when they added support in CF2016 and CF2018.
  • ColdFusion 10 - Supports Java 8 (as of Update 14)
  • ColdFusion 9 and below - Java 8 may work, but certain features (eg web services) may throw exceptions. Since these versions of CF have been EOL for many years you don't need to worry about official support (it is all unsupported). Java 6 and 7 was the officially supported version for these releases.
  • Lucee < 5.2.9 - Java 8
  • Lucee > 5.2.9 - Java 11

From there you always want the latest update of the major version, so if your server should be running Java 11, you want the latest version of Java 11. Right now (as of March 2018) that is 11.0.2, but Oracle typically releases security updates each quarter.

Where should I download Java from?

If you are an Adobe ColdFusion customer you can download Oracle Java from Adobe's ColdFusion Downloads page. It may take them a few days to update this page when a new version comes out. If you don't want to wait or if you are running Lucee then you can use an OpenJDK based version such as:

How frequently should I update Java?

You should update whenever a security patch comes out for the version of java you are running (typically quarterly).

Should I be running Java 9 or Java 10?

No - Java 9 and Java 10 are non-LTS releases (LTS means long term support), this means they were stepping stones to get to a stable release... Java 11.

Further support from Oracle for Java 9 ended in March 2018, and support for Java 10 ended in September 2018.

What about Java 12, 13, 14 or 15?

Java 12, 13, 14 or 15 may work where Java 11 works, but none of them are a long term support (LTS) version like version 11 is. Java 12, Java 13 and Java 14 are already unsupported (do not receive security patches).

You can read more about Java LTS and non LTS releases here or see the oracle support roadmap for more info.

What happens if I don't update Java?

Based on past experiences these are the things that end up happening when you stay on an old JVM:

  • Vulnerable to Security Issues - here are a few past examples:
    • Null byte file path vulnerability
    • Floating point crash - due to a bug in floating point operations you could crash a server just by sending a specific number (if that number were to be used as a numeric in the code).
    • Image Upload Crash - upload an image and process it with java image api's and it would crash the server.
    • Your cacerts becomes out of date, so if a trusted certificate authority becomes compromised, or untrusted it would be removed from cacerts in the next java update. But if you do not update java you will still be trusting these certs.
    • And many more
  • Things like HTTPS start breaking - before you rush off to import certs into the keystore (that is a bad idea), know that updating the JVM will often fix https issues. Further changes to TLS protocols and supported ciphers can make a big difference in determining what servers you can connect to. For example many https servers have disabled TLS 1.0, 1.1 and require a minimum TLS version of 1.2. If you are running Java 6 it doesn't support TLS 1.2, java 7 doesn't support it by default.

Like this? Follow me ↯

Updating Java on ColdFusion or Lucee was first published on March 21, 2019.

If you like reading about coldfusion, java, jvm, lucee, or oracle then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.


Good stuff there, Pete. Thanks. I was thinking of doing a post just like this recently, with all the changes.

One tweak you should consider: cf2018 now ships with Java 11. It's true that the original installer did ship originally with Java 10 (and can be updated to Java 11 after update 2), the installer was refreshed as of February 12 2019 when update 2 shipped. So some people will find they are indeed running on Java 11 already. :-)
by Charlie Arehart on 04/05/2019 at 2:56:34 AM UTC
I tried updating the jetty.lax file to reference the version of Java I just updated to, but SOLR will not create collections after doing so. Message is: Error when creating SOLR collections: An error occurred while creating the collection: org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException.

Server Product: ColdFusion 2016
Version: 2016.0.16.320445
Java Version: 11.0.8
by Christopher Simmons on 08/10/2020 at 12:35:06 PM UTC
@Christopher - That's interesting, I have not seen that. Did you upgrade jetty from java 8 to java 11? May need to stick with Java 8 for jetty.
by Pete Freitag on 09/10/2020 at 7:47:16 PM UTC

Post a Comment