If you’d not heard the news, there were several updates released today, for CF 11, 10, and 9.
As for CF11 and CF9, it’s mainly a security update. For CF10, it’s got quite a bit more. (And there is another update for CF11 to come in the future which Adobe mentioned when it came out with its first update last month.)
For more on each, see below.
Adobe has also posted a blog entry about the update, and if you have questions or concerns about it (that should be seen by them), it would be best to raise them there, as they may not see them here. I welcome comments otherwise, of course.
As many of my readers know, I’m a big fan of the FusionReactor server monitor for ColdFusion (and Railo, BlueDragon, Tomcat, and indeed any Java server). I help people use it every day (just like I also help people leverage other CF monitors like the CF Enterprise Server Monitor and SeeFusion).
One of the most important features is the stack tracing feature, used to understand what’s holding up a long-running request.
And the folks who make FusionReactor asked me to do a several-minute video demonstrating it, and they have posted it on their youtube channel:
Well, it’s that time again. Later this week is the second annual ColdFusion Summit, put on by Adobe. Last year, just prior to the summit, I posed the question What’s Wrong With ColdFusion. The feedback was immediate, and intense, with many people weighing in with their thoughts on what could be done to progress ColdFusion, both as a platform and a language.
Unfortunately, last year I wasn’t able to attend the summit, and development of the ColdFusion 11 server was nearly complete, so most of that feedback had zero impact on the new release. While their were many advancements in security and JSON processing, some of the other introductions were seemingly underwhelming, or even unwanted, to many long time CF developers.
Now, to be fair to Adobe, and the ColdFusion product development team, they do have a responsibility to cater to their paying customers. Developers are rarely the ones buying the server itself, and the money handlers buying the server licenses rarely have enough real understanding of the development process to truly provide reasonable feedback when asked “What do we do next?”
I often help people who are reporting that CF is “running hot on the CPU”, maybe reaching 80 or even 100% of the CPU, whether in spikes or for extended periods. What might you propose people look at, when you’ve heard that? I’ve heard all kinds of things over the years, often focused on coding, or perhaps jvm tuning.
But as is often the case in a lot of the CF server troubleshooting consulting I do, I find the causes to be far less often what most people seem to suspect. So what would I look for when someone reported high CPU in ColdFusion (or Railo)? Read on.
ColdFusion Lockdown/Security guides: there are several, and some you may have missed
While helping people with various problems in my CF server troubleshooting services, I often have the chance to help people identify security vulnerabilities, especially in their configuration of CF and/or their web server, and sometimes related to their code.
I was wanting to point out to someone the various ColdFusion security resources, and while I have a category on them in my CF411 site, I thought this was a list worth pulling out into its own blog entry and expanding a bit.
You may be surprised to find that there are more to CF security guidelines than just the venerable server “lockdown guide” (for those administering and configuring CF, the OS, and the web server, among other things).
Did you know that there have been “developer security guidelines” as well, focused instead on coding? This latter guide has gone through three iterations, including just recently, as I’ll discuss along with the lockdown guides, below.