ColdFusion and Java 8 and Java 11 Updates

As many of you are aware Oracle has changed their licensing for Java 1.8 and making it a pay to play for all commercial purposes. Here's a link to the licensing announcement. I'm not a lawyer and I'm not going to pretend that I understand these licensing agreements. But Oracle and Adobe (or their lawyers I presume) do understand these and as such there are changes to note. On January 24th Adobe announced that Adobe will maintain support. via a Long-Term Support Agreement with Oracle, for Java 8 and Java 11. Thank you Adobe!

I have questions as I'm sure everyone else does. I've been asking representatives at Adobe these questions.

What does this mean for us?
ColdFusion Server runs on Java from Oracle, and as such the new Oracle license affects all of our ColdFusion servers. To this point Adobe has secured licensing from Oracle that allows all ColdFusion Server owners continue running Java. It is very important to note that you now need to download Java from Adobe and NOT Oracle. Get your Adobe Licensed Oracle Java downloads HERE!

Is the Java version from Adobe Different that the same version from Oracle?
Great Question and I asked Adobe about this. Here is the answer "Wil, installers are same but license attached to them are different and this is for both Java 8 and 11".

What about my existing ColdFusion Servers?
Another great question! There are tens of thousands (or more) ColdFusion servers running and the vast majority of them are running on Java from Oracle. I know that the CF Webtools Operations Group maintains a very large number of servers for a large number of clients. Over time we have been upgrading the Java version on the servers to keep up with the security updates from Oracle. This means that most if not all of these servers are on Oracle Java from Oracle and not from Adobe. What do we have to do to remain compliant? I really hope we do not have to visit all of these servers and replace the Java with the one from Adobe simply because there is a different license agreement attached. I have submitted this question to Adobe and I'm awaiting anxiously for the answer. What I do know is that all servers that we need to update are going to get the Adobe Licensed version of Oracle Java to stay safe.

I received an answer today from Adobe on this.

Wil, to answer your question, if the JDK/JRE were downloaded before Oracle came up with Licensing change, it should not be an issue. Otherwise we recommend using the Adobe provided download as soon as possible, although we don't see a deadline around this.
This means that all the servers that I have recently updated will need to be re-updated with the Java from Adobe that has a different license agreement.

What about my New ColdFusion Servers?
This question has a simple answer. To install a new ColdFusion Server you need to use the ColdFusion installer from Adobe which comes with an Adobe licensed version of Oracle Java. If you want to use a newer version of Oracle Java then you need to download the Adobe Licensed vision of Oracle Java from Adobe. Download Here!

Do I have to use Oracle Java?
Awesome question and the answer is yes, no, maybe. There is OpenJDK that may work just fine to run ColdFusion servers. There is also a new player in the Java game and that is Amazon. "Amazon Corretto is a no-cost, multiplatform, production-ready distribution of the Open Java Development Kit (OpenJDK)." Currently their version 8 is production ready and they version 11 is in the Release Candidate stage. I have run ColdFusion 11 an dColdFusion 2016 on Amazon Corretto 8 and it ran fine for the very limited testing that I did. For now there isn't official support from Adobe for these two Java versions.

As I get more information from Adobe I will provide updates above. I'm sure there will be more questions that people will want answered.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

It's Up To Us To Stop Hackers

The first month of 2019 has passed and it was full of year end wrap up articles about anything and everything from 2018. Most were fluff articles on pop culture and such. What I found most interesting were the articles that quantified the past year of hacking and security breaches. According to NBC News, Hackers stole nearly half a billion personal records in 2018. There were fewer breaches, but the breaches were bigger and worse and more data than ever was stolen. Crypto-miners have improved as well and not in a good way. Previously I wrote about Cryptojacking and Hacking for Bitcoins. These are malware attacks where hackers install crypto-miners on servers they have compromised. The Crypto-miners use your CPUs to make money for themselves. Hackers have taken this malware to a new level of deviousness. The malware can now target and remove cloud security products as reported here and here.

It's been a banner year for the hackers.

[More]

ColdFusion Bug Introduced In Newest Update

UPDATE: Adobe has released updates for the last update.
  • ColdFusion 11 Update 17 was released that supersedes Update 16.
  • ColdFusion 2016 Update 9 that supersedes Update 8.
Many of us have been testing these new updates including myself and so far they look good. We have not heard any news on any additional updates for ColdFusion 2018

This is a very quick note to alert everyone that there is a critical bug that was introduced with yesterdays updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Adobe is very actively working on a resolution. The bug is simply this, in cfscript queryExecute() is broken. This is the bug report.

Here is an example of what is no longer working. Example one is a cfscript based CFC file.

view plain print about
1component output="false"
2{
3    public query function getRoles() {
4        var userRoles ='';
5        var sql = "SELECT roleId, roleName FROM userRole ORDER BY roleID";
6        userRoles = queryExecute(sql);
7        return userRoles;
8    }
9}

Example two is a cfscript block in a CFML file.

view plain print about
1<cfscript>
2userRoles = '';
3sql = "SELECT roleId, roleName FROM userRole ORDER BY roleID";
4userRoles = queryExecute(sql);
5
6writeDump(userRoles);
7
</cfscript>

The code causes a Java error at the queryExecute() statement. Many of us are working with Adobe to provide test cases, stack traces, and testing hot fixes in order to get this resolved as fast as possible. Until there is a fix, if your application is using cfscript based queries, you will want to hold off on the update.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

New ColdFusion 2018 and ColdFusion 2016 Updates and Patches

Adobe just released updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Please note that this is most likely the last update that ColdFusion 11 will receive due to it's core support end of life is coming up in April of 2019.

Some New Features

  • This update includes adding support for Java 11 to ColdFusion 2018 and ColdFusion 2016. ColdFusion 11 did NOT get this update most likely due to ColdFusion 11 nearing end of life.
  • ColdFusion 2018: Server Auto-lockdown includes a new installer for Mac OS.
  • ColdFusion 2018 and ColdFusion 2016: Updated the following OEMs:
    1. Jetty 9.4.12
    2. ExtJS 6.6
    3. JPedal 8.4.31
  • ColdFusion 2018 and ColdFusion 2016: You can use cfloop as script for arrays, lists, structs, or queries.
  • ColdFusion 2018: New platform support matrix for the following:

Adobe has updated more features for ColdFusion 2018 and ColdFusion 2016 including new mobile updates and Performance Monitor Updates. It's time to update your servers.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

Using CDN for Entire Website and Country Blocking - Part 1

CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.

We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In this article I'm writing about using CloudFlare CDN to block entire countries.

CloudFlare
I was not familiar with CloudFlare other than it's a CDN. They do offer advanced services for a price. There is a free tier that has CDN capability and limited Firewall features. The firewall features include the ability to setup 5 firewall rules.

To test the features and capabilities of CloudFlare I created a free account for myself and setup my blog to use CloudFlare. My blogs uptime is not critical like the client's business is and it gets real traffic thus it can be used to test various features.

Using the free firewall features I can block multiple countries in a single firewall rule. The rules allow for chaining filters with AND OR statements. See the example below.

I don't know yet if there is a limit to the number of conditions I can add to a single rule. However, at the moment it seems to be sufficient.

The negative side effect that I can see so far is that all the IP addresses that get logged on the origin web server are from CloudFlare. This defeats many clients needs/desires to have a valid IP address of their valid customers. Cloudflare does offer the option to pass through the original HTTP headers, but that is under their top Enterprise plan. They do not provide a cost for this. You need to request an estimate.

CloudFlare does pass through custom headers that has the original IP and other custom headers. However, these are not standard and web servers need to be configured to first read the custom header fields and then the application code needs to be updated to use the custom headers fields. It's far easier to do this in Apache than it is in IIS. IIS does not allow this to be done at a global level meaning each IIS site must be configured for the custom headers. Additionally, you may need to custom code the web application to read X-Forwarded-For no matter which web server you are using.

Another issue is that CloudFlare requires you move your DNS to them. Depending on the client, gaining access to their DNS and registrar can be challenging.

Part 2 will cover using AWS CloudFront to achieve the same results.

CF Webtools is here to fill your needs and solve your problems. If you have a perplexing issue with ColdFusion servers, code, connections, or if you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations @ cfwebtools.com.

ColdFusion Exploit in the Wild

On September 11th of 2018 Adobe released a critical security patch to patch a very dangerous flaw (CVE-2018-15961) that could allow an attacker to upload a file that can be used to exploit and take control of the server. Adobe updated their security note to alert everyone that there are active exploits in the wild.

"UPDATE: As of September 28, Adobe is aware of a report that CVE-2018-15961 is being actively exploited in the wild. The updates for ColdFusion 2018 and ColdFusion 2016 announced in this bulletin have been elevated to Priority 1. Adobe recommends customers update to the latest version as soon as possible." - Adobe

Today it is being reported by multiple news outlets including ZDNet that the exploit is in the wild and being used by a nation-state cyber-espionage group.

"A nation-state cyber-espionage group is actively hacking into Adobe ColdFusion servers and planting backdoors for future operations, Volexity researchers have told ZDNet.

The attacks have been taking place since late September and have targeted ColdFusion servers that were not updated with security patches that Adobe released two weeks before, on September 11." - ZDNet

This is one more friendly reminder to make sure your ColdFusion servers are patched! Either patch them yourself, have your hosting provider patch them or if they are not familiar or knowledgeable with ColdFusion contact us at CF Webtools to patch your servers. Our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to "operations at cfwebtools.com".

ColdFusion Debugging on Production, That wasn't a Good Idea

Today's short note is brought to you by "Don't Do That On Production!" At CF Webtools often times we get called in to help troubleshoot servers that are failing to perform well. We often hear the same sort of symptoms that goes like this. The server has been running fine for months then suddenly for no reason it's slow, CPU usage is high, and it hangs or crashes multiple times per day. This always prompts us to ask the same question. "What was changed just before these symptoms started?" And the answer is usually "Nothing was changed (as far as they knew)". In all reality the person we're talking to may not the be only person with access to make changes to the server. Or they may not in fact have access at all and they are relying on information provided to them by an IT team member. We take notes, assume nothing, and question everything (on the server).

We had this scenario play out a few times in the past few weeks with three servers from three different companies. The reason I'm writing this note is the same problem occurred on each server. The short answer is someone enabled ColdFusion Debugging on the production server. ColdFusion is a very powerful rapid development platform, but it has a few gotchas if you are not careful. Such as enabling debugging on a production server. Debugging output provides a massive amount of information and for obvious security reasons we never want this enabled on a production server. Yes, I know you can restrict debugging output to a certain IP address, but that does not prevent the debugging output from being generated. It's just not displayed. The generation of debugging output takes more CPU power and at times more JVM memory. On a low load web application you may not notice a difference. However, on a high load, high traffic production web application the extra resources needed to generate the debugging output may in fact cause all those symptoms described above.

In each of the cases we saw these past few weeks, we were reviewing the servers settings, looking at the results of Fusion Reactor, and reviewing ColdFusion settings. On the first server we almost missed the fact that debugging was enabled. By the time we were troubleshooting the third server with similar symptoms we were checking to see if debugging was enabled before we did anything else. Disabling debugging resolved the bulk of the performance issues. We then used this time to review each server and offered additional performance tuning recommendations based on each servers resources and application needs.

This falls into the category of "Don't Do That On Production!" Please leave debugging to your development and staging servers.

CF Webtools is here to fill your needs and solve your problems. If you have a perplexing issue with ColdFusion servers, code, connections, or if you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations @ cfwebtools.com.

ColdFusion Bloggers Tweets

When I brought ColdFusionBloggers.og back to life, several of us were discussing the service on the CFML Slack channel. One of the many things that was mentioned was that some blogs these days are static and don't have a 'ping' service to ping an aggregator. That led to the venerable Sean Corfield mentioning that he does not read a blog post if he does not see it on his Twitter feed. I suspect others get their updates this was as well. I'm still 'old school' I guess because I still use and online news reader. I don't have a solution yet for those static blogs, but I'm percolating thoughts on that. However, during the process of resurrecting ColdFusionBloggers.og I noticed that at one time there was a Twitter account for @CFBloggers. I checked with Ray Camden and luckily he was able to remember the credentials for this account and passed those on to me.

The current iteration of ColdFusionBloggers.og is coded in Node.js. I've been learning what I can about Node as fast as I can. This past weekend started the process with Twitter to get my API tokens. While waiting on those I learned what I needed to get Node to send a Tweet. Today I received the Twitter API access tokens and this evening I was able to debug my hacked up Node code. The first tweet was sent! WooHoo! I think this is all working.

The short story is all new blog posts aggregated by ColdFusionBloggers.og will now be tweeted in real time. This being the first blog post to tweet. Cheers!

I hope this is the first of many changes for ColdFusionBloggers.og. Contact me to have your ColdFusion related blog added to the feed.

ColdFusion Bloggers is Alive

A short note to alert everyone that ColdFusionBloggers.org is back online and back to aggregating your blog posts.

The great Raymond Camden created this awesome resource and technically it will always be his. I happen to be the current caretaker if you will of this valuable service. If anyone was wondering why Ray decided to step away from ColdFusion Bloggers, see his blog post here. I reached out to Ray and he granted me the 'keys' so to speak. Thank you Ray! I've moved hosting to my AWS account for hosting and tonight I was able to work through the hiccups of migrating older code to a newer environment on newer versions of the backend software. I just completed adding SSL via Lets Encrypt and verified the ping service works. ColdFusion Bloggers is back in action!

Spread the word! Add your blog!

USPS Shipping API Ending TLS 1.1 and TLS 1.0 Support, is your ColdFusion Server Ready?

At CF Webtools we recently went through a round of server upgrades to handle the Authorize.net ending support for older TLS versions. Now USPS, United State Postal Service, is doing the same thing with their Shipping APIs. This is going to be happening for all API's and most likely all this year as PCI requirements for ending support for TLS 1.1 and older at the end of June 2018. This is according to the PCI Security Standards Council.

USPS will be turning off support for TLS 1.1 and older for testing. In advance of the changes to production, TLS version 1.0 and 1.1 support will be discontinued in the lower Web Tools environments and available for testing on 5/22/18: https://stg-secure.shippingapis.com/shippingapi.dll): 06/11/18.

This message explains some security improvements planned for our services. Effective 06/22/18, Web Tools will discontinue support of Transport Layer Security (TLS) version 1.0 and 1.1 for securing connections to our HTTPS APIs through the following URL: https://stg-secure.shippingapis.com/shippingapi.dll. This includes, but is not limited to, all shipping label and package pickup APIs. After this change, integrations leveraging TLS version 1.0 and 1.1 will fail when attempting to access the APIs.

You are receiving this message because the Web Tools UserID associated with your email address has made HTTPS requests over the past year. It is possible that no changes are necessary to retain Web Tools services and benefit from the improvements. Please review the entire message carefully and share with your web developer, software vendor, or IT service provider to determine if your use of the Web Tools APIs will be affected. If you have already updated your security certificates please disregard this message. If you are not sure if any changes are necessary, please ask your IT service provider.

In advance of the changes to production, TLS version 1.0 and 1.1 support will be discontinued in the lower Web Tools environments and available for testing on 5/22/18: https://stg-secure.shippingapis.com/shippingapi.dll): 06/11/18.

Further background: Security research published in recent years demonstrated that TLS version 1.0 and 1.1 contained weaknesses that limited its ability to protect and secure communications. These weaknesses have been addressed in the TLS 1.2 version. Major browser software vendors have been supporting TLS 1.2 for some time. Consistent with our priority to protect USPS Web Tools customers, Web Tools will only support versions of the more modern TLS 1.2 as of the effective date noted above.

Contact us at WebTools@usps.gov with any questions or concerns.

This means that if you are using older methods to make calls to USPS that are not capable of making TLS 1.2 connections then you will NOT be able to process Shipping API transactions.

This affects ALL ColdFusion versions 9.0.2 and older! This also affects ColdFusion 10 Update 17 and older. If your server is running any of these older versions of ColdFusion and your server is processing Shipping API transactions with USPS then this advisory applies to your server.

Mitigation

Getting compliant depends on age of your server operating system. There are three main ways to get your server to handle TLS 1.2.

  1. If you're running on Windows Server 2008 Standard (not R2) or older then the only solution is to migrate to a newer server. This can be challenging and time consuming. It's best to start planning now if a plan isn't already in place and being acted upon.
  2. If your server is running ColdFusion 10 and newer on Windows Server 2008 R2 or newer then the solution is most likely very simple. In most cases you'll need to install the ColdFusion patches and upgrade to Java 1.8.0_nn.
  3. There is a solution for the in between systems running ColdFusion 9 and older on Windows 2008 R2. This does require using a third party extension to ColdFusion and some refactoring of your code to call the API.
  4. There are sure to be outlier cases that will require either migration or patching depending on the exact combination of operating system, ColdFusion version and Java version.

CF Webtools has been successfully mitigating this issue for clients servers for the past couple years and we are very experienced in resolving these security related issues. In a previous blog post I tested which TLS levels were supported by various ColdFusion versions on various Java versions and produced an easy to read chart.

If your ColdFusion server is affected by this or if you do not know if your ColdFusion server is affected by this then please contact us (much) sooner than later. Our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

More Entries