Security vulnerabilities for JVM versions older than 1.6.0_18

Feb 09, 2010

If you're running ColdFusion 8 or 9 servers, I would encourage you to upgrade to the latest JDK 1.6.0_18. There have been several notices from Sun and others regarding vulnerabilities in older versions of Java. As an fyi, the default version on CF 9 is 1.6.0_14 so even it is pretty old now.

http://www.us-cert.gov/current/archive/2009/12/04/archive.html#sun_releases_update_17_for
http://www.us-cert.gov/cas/bulletins/pdf/SB09-320.pdf

None of these vulnerabilities directly seem to affect ColdFusion, but I prefer to avoid problems whenever possible. I've started upgrading servers and haven't experienced any problems. I've ping others in the community that have also made this upgrade and no one has run into any issues as yet. Naturally, I'll blog any problems we run into.

The problem is Adobe is really bad in certifying JVMs past a certain point. This tends to create problems as vulnerabilities are discovered in the jvms that ColdFusion is shipped with. Considering recent history with quality control at Adobe, I've taking a more strict view on these issues.

Here's an Adobe technote on how to change your JVM on ColdFusion
http://kb2.adobe.com/cps/547/2d547983.html

And here's the link to Sun's 1.6.0_18 JDK
http://java.sun.com/javase/downloads/widget/jdk6.jsp

If you're running CF 7 or 6, you really need to consider upgrading to CF 8 or 9 by now. If cost is a factor for you, then I recommend you try out Railo which is a free and open-source CFML engine. There's simply no reason these days to be running an old version of CF.

 

Comments

Write your comment



(it will not be displayed)