portal entry

select a category, or use search below
(searches all categories and all time range)

More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018

| View in Portal
March 04, 2019 07:04:47 PM GMT
<p>If you may want to know more about the most recent CF updates, and the security fix they provide, read on.</p>
<p>The post <a rel="nofollow" href="https://coldfusion.adobe.com/2019/03/info-cf-security-update-included-march-1-cf-updates-cf11-2016-2018/">More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018</a> appeared first on <a rel="nofollow" href="https://coldfusion.adobe.com">ColdFusion</a>.</p>
Labels: Blog, Security Update, Updates, blog, ColdFusion, security update, updates


This security bulletin page discusses JDK Requirements for all releases.  CF 2018 and 2016 note "On <em><strong>JEE</strong></em> installations, set the following JVM flag..." while CF 11 says "Additionally, on <em><strong>J2EE</strong> </em>installations, set the following JVM flag..."  I don't know if CF 11 is a typo or the other two are typos and it's not really clear under what circumstances the test should be added to the jvm.config.  Would you be able to shed some light on this, Charlie?  Thanks. https://helpx.adobe.com/security/products/coldfusion/apsb19-14.html
Comment by jeffh65754959
1850 | March 04, 2019 10:41:28 PM GMT
Jeff, this is a lamentable situation. Not the JEE vs J2EE difference (that's just a reflection of a change in how what used to be called J2EE was renamed by the Java community to be JEE). Instead, what's lamentable is that that part of the technote HAS NOTHING TO DO WITH MOST PEOPLE IMPLEMENTING CF. What they are referring to is those who have deployed CF as a WAR or EAR (something possible since CF 6), onto some Java servlet engine or app server (like jBoss, WebSphere, etc. or even Tomcat--but when you have installed Tomcat yourself). As you may know, most people install CF not that way (as a JEE web app on some servlet engine they have installed) but instead just as "ColdFusion Server". And technically that DOES run on Tomcat (since CF10, and before that JRun), and CF DOES technically run as a JEE web app. But the point is that there is a difference between you deploying CF as a webapp on some servlet engine or app server and CF installing itself on Tomcat. (And that is an option in the CF installer, which again most never would even notice--and don't usually need.) So bottom line, that section of the technote about that jvm flag does not apply, unless you are deploying CF *as a war or ear*. Adobe could help folks a LOT by making that simple distinction, rather than use JEE (or J2EE), since technically that covers everyone.
Comment by Charlie Arehart
1851 | March 04, 2019 11:23:29 PM GMT
Thanks so much Charlie.  That is much clearer.
Comment by jeffh65754959
1858 | March 05, 2019 01:39:38 PM GMT