Updating Java on ColdFusion or Lucee

As a ColdFusion user you are probably aware that your CFML is compiled into Java byte code and executed by the Java Virtual Machine (JVM). Just like your Operating System or ColdFusion server needs to be patched for security issues, so does your JVM. Oracle typically releases a security patch for Java every quarter.

How do you know when Java Security Patches are released?

My HackMyCF service will send emails to customers when Oracle releases a new Java security patch with issues pertaining to server side java. HackMyCF can also continuously monitor the version of java that your CF server is actually using and let you know in your report that it needs to be updated.

Here is a video showing how to update Java on ColdFusion 2018:

Links from video:

• Oracle Java Support for Adobe ColdFusion
• ColdFusion Downloads Page
• Amazon Corretto
• HackMyCF

What version of Java Should I be using?

• ColdFusion 2018 - Shipped with Java 10, supports Java 11 as of Update 2. You should be running Java 11. Java 8 may work, however it is not officially supported.
• ColdFusion 2016 - Supports Java 11 (as of CF2016 Update 8) or Java 8.
• ColdFusion 11 - Supports Java 8 - Adobe did not state that Java 11 was supported on CF11 when they added support in CF2016 and CF2018.
• ColdFusion 10 - Supports Java 8 (as of Update 14)
• ColdFusion 9 and below - Java 8 may work, but certain features (eg web services) may throw exceptions. Since these versions of CF have been EOL for many years you don't need to worry about official support (it is all unsupported). Java 6 and 7 was the officially supported version for these releases.
• Lucee < 5.2.9 - Java 8
• Lucee > 5.2.9 - Java 11

From there you always want the latest update of the major version, so if your server should be running Java 11, you want the latest version of Java 11. Right now (as of March 2018) that is 11.0.2, but Oracle typically releases security updates each quarter.

How frequently should I update Java?

You should update whenever a security patch comes out for the version of java you are running (typically quarterly).

Should I be running Java 9 or Java 10?

No - Java 9 and Java 10 are non-LTS releases (LTS means long term support), this means they were stepping stones to get to a stable release... Java 11.

Further support from Oracle for Java 9 ended in March 2018, and support for Java 10 ended in September 2018.

What about Java 12?

Java 12 may work where Java 11 works, but it is not a long term support (LTS) version like version 11 is. Support will end for Java 12 in September 2019.

What happens if I don't update Java?

Based on past experiences these are the things that end up happening when you stay on an old JVM:

• Vulnerable to Security Issues - here are a few past examples:
  • Null byte file path vulnerability
  • Floating point crash - due to a bug in floating point operations you could crash a server just by sending a specific number (if that number were to be used as a numeric in the code).
  • Image Upload Crash - upload an image and process it with java image api's and it would crash the server.
  • Your cacerts becomes out of date, so if a trusted certificate authority becomes compromised, or untrusted it would be removed from cacerts in the next java update. But if you do not update java you will still be trusting these certs.
  • And many more
• Things like HTTPS start breaking - before you rush off to import certs into the keystore (that is a bad idea), know that updating the JVM will often fix https issues. Further changes to TLS protocols and supported ciphers can make a big difference in determining what servers you can connect to. For example many https servers have disabled TLS 1.0, 1.1 and require a minimum TLS version of 1.2. If you are running Java 6 it doesn't support TLS 1.2, java 7 doesn't support it by default.