portal entry

select a category, or use search below
(searches all categories and all time range)
Title:

Error after accessing ColdFusion Administrator using connector port

| View in Portal
October 09, 2019 06:59:25 AM GMT
16 Comments
<p>UPDATE (10/10/2019): We’ve have now included patches for 32-bit IIS connector. The locations are also updated. Users who had installed Update 5 of ColdFusion (2018 release) and Update 12 of ColdFusion (2016 release) encountered an error after they’d tried accessing the ColdFusion Administrator using their connector port. The issue was reported by a few users that it might impact all their websites. This issue appears if and only if you access the ColdFusion Administrator using the web server port. We […]</p>
<p>The post <a rel="nofollow" href="https://coldfusion.adobe.com/2019/10/error-accessing-coldfusion-administrator-using-connector-port/">Error after accessing ColdFusion Administrator using connector port</a> appeared first on <a rel="nofollow" href="https://coldfusion.adobe.com">ColdFusion</a>.</p>
Labels: Adobe ColdFusion 2016, Adobe ColdFusion 2018, apache, connector, iis, isapi_redirect.dll

Comments:

This is great to see, Saurav. Thanks. (Folks have been left to dig through forum posts and bug tracker tickets to find this info and these links, formally shared from someone at Adobe.) Could we now get a post for that other hotfix jar that Adobe is sharing, addressing the few other issues introduced in the most recent update? That (including info on how to apply it) would be VERY helpful.
Comment by Charlie Arehart
2403 | October 09, 2019 03:12:22 PM GMT
<p>This is regarding CF 2016 Update 12.</p><p>There are two (at least) versions of the updated isapi_redirect.dll available. I’m using the bug tracker (<a href="https://tracker.adobe.com/#/view/CF-4205361" rel="nofollow">CF-4205361</a>) for reference, though I have seen the links shared elsewhere.</p><p>In one comment, Charlie <a href="https://www.dropbox.com/sh/q2hv32vuw25oiho/AADpPdNBKC82IXXIxBM60m-ya?dl=0" rel="nofollow">shared a link (ISAPI_Redirect_Patch)</a> that had two folders (Binaries and CF2016 Binaries) and the DLL. I download the DLL and it resolved the the 404 error reported by the connector. Interestingly, this DLL is the exact same size (515,584 bytes, 504k) as the buggy connector file that came with update 12, though they are different.</p><p>In another comment, Kailash <a href="https://www.dropbox.com/sh/zqfn58y3k81nwoj/AAAj1JWbqxr6vcSRacKx9af5a?dl=0" rel="nofollow">shared a link (CF2016 Binaries)</a> that has four folders for various operating systems. I assume that CF2016 Binaries folder is the same as the one that’s in Charlie’s link, though you can’t tell by the URLs, and you can’t navigate up the tree. I downloaded the DLL in Windows/IIS/64bit, and noticed that it’s smaller (488,448 bytes, 477k) than the other one, as well as the one that came with the update. The previous connector used on the server from (I think) updates 8/9, is 486,400 bytes.</p><p>This post links to a zip file that contains basically the contents of the CF2016 Binaries folder shared on Dropbox, though the 32-bit version is missing for IIS. The DLL in this file is identical to the one found in the link shared by Kailash.</p><p>So which of these is correct? The first one is the same size as the connector that came with the update (which seems reasonable since it’s a fix). The second is only slightly larger than the previous connector, which would make sense if a bunch of code was removed.</p><p>Thanks.</p>
Comment by sthompson
2411 | October 10, 2019 01:20:50 AM GMT
ST, a couple of things: I didn't share any link to files. Instead, I quoted Kailash who shared the link. And that was on the 7th (in a comment on that ticket you point to). then it was on the 8th that Kailash made another comment, sharing yet another link. Why they differ, I can't say, but it was a day later. It could be that the second was newer. More important, you don't seem to discuss comparing things to what Saurav has shared here in THIS post, which is yet a day later? Really, these files he has shared here would seem to take precedence over even the two sets shared Kailash so far. Make sense?
Comment by Charlie Arehart
2412 | October 10, 2019 01:33:41 AM GMT
Thanks a lot Charlie. Let me check with the team.
Comment by SauravGhosh
2415 | October 10, 2019 07:15:16 AM GMT
Charlie, Both sets contain the same dll and so files. That only change is in the locations specified to host the files. Earlier, we'd shared via Dropbox, but now we've changed it to Document cloud. Thanks.  
Comment by SauravGhosh
2416 | October 10, 2019 12:06:42 PM GMT
I've tried to access the links for both 2016 and 2018, but neither one is working now.  Did they pull these patches?
Comment by Scott15205
2419 | October 10, 2019 06:08:13 PM GMT
Scott, The links are working for us. Could you re-try or post the error message, if any? Thanks
Comment by SauravGhosh
2422 | October 11, 2019 06:06:28 AM GMT
While this is great creating a post for folks to download update jar/dll connector, it would be better for everyone to issue a separate HF to address all patch fixes. What do you think?
Comment by Chris Reese
2425 | October 11, 2019 07:05:51 PM GMT
Thanks Chris. As far as a separate HF is concerned, we are looking into the possibilities. We'll announce accordingly.
Comment by SauravGhosh
2426 | October 14, 2019 11:33:48 AM GMT
Considering that both CFOUTPUT and the ISAPI connector are broken in Updated 5, has Adobe given any thought to pulling the update?  I mean - why do you continue to distribute what you know to be a problematic update? Also, what is going on with the QA for ColdFusion?   I have not been able to deploy CF2018 to production yet because every single updater has broken a major feature.  The ternary operator was broken up until Update 5, and then update 5 broke CFOUTPUT and the ISAPI connector.  The team is cranking out tons of new features, but that doesn't mean squat if we literally can't use the product because core features are being broken in the process. What gives?  This team has to do better.
Comment by roland.collins
2436 | October 15, 2019 02:06:02 PM GMT
Did the JQuery UI update from 1.8.16  to 1.12.1 in Cold Fusion 2016 update 12?   If not release 12 then what release?  How come the JQuery UI update is not noted in the release notes?
Comment by CRAIG PENROSE_39
2432 | October 15, 2019 04:52:43 PM GMT
I am not in a position to quickly report if/when it updated, but I will say that since it's there for the sake of the CF features that use it, Adobe wouldn't necessarily be compelled to point it out.  It's not really meant for others to leverage in their own code, though of course some do. I just mean to say that they don't make a commitment about expectations regarding it beyond whether it works for the CF features that leverage it. For what it's worth, I can confirm for you that there is no mention of jquery regarding any of the previous 11 CF2016 updates, either at the release notes page covering all of them at <a href="https://helpx.adobe.com/coldfusion/release-note/coldfusion-2016-updates-release-notes.html" rel="nofollow">https://helpx.adobe.com/coldfusion/release-note/coldfusion-2016-updates-release-notes.html</a>, nor in any of the individual technotes, per this google search: site:helpx.adobe.com inurl:coldfusion-2016-update "jquery" (To be clear, that search WILL find even the latest update 12 technote, if you search for "jdk 12" instead.) Maybe someone at Adobe will confirm for you if/when it may have changed versions over the life of CF2016, or perhaps someone will do a close analysis of the lib folder and the jquery files to detect if/when it may have changed versions. HTH
Comment by Charlie Arehart
2439 | October 15, 2019 05:57:53 PM GMT
Thanks for the feedback. I asked about it because I received vulnerability notices from our internal Cyber division about using an out of compliance JQUERY UI version (1.8.16).   Thankfully it was updated to 1.12.1 in Cold Fusion update 12 (as far as I can tell).    I am received a vulnerability notice about Cold fusion having JQUERY version 3.3.1 and am being directed to upgrade to JQUERY 3.4.0 per CVE 2019-11358. I do think Cold Fusion should notify when they upgrade or plan to upgrade their embedded  components - especially when those components are subject of vulnerability notices (e.g. CVEs).
Comment by CRAIG PENROSE_39
2440 | October 15, 2019 08:04:56 PM GMT
That's a fair point. I will leave it for them to respond to.
Comment by Charlie Arehart
2442 | October 16, 2019 08:47:48 AM GMT
CVE-2019-8074 CentOS7 Apache CF2016 (HTTP response 403) /CFIDE/... (HTTP response 403) /not-CFIDE/ (HTTP response 403) /not-CFIDE/index.cfm (HTTP response 400) /index.cfm/..;/CFIDE/... (HTTP response 400) /index.cfm/..;/not-CFIDE/ (HTTP response 200) /index.cfm/..;/not-CFIDE/index.cfm
Comment by kazu98296633
2463 | October 24, 2019 01:26:25 AM GMT
The links don't work for me, either. All I get is a Document Cloud header and the message: <blockquote>Something went wrong. Please try again later.</blockquote>
Comment by AKAndy
2467 | October 24, 2019 08:47:40 PM GMT