ColdFusion (2018 release) Update 11


If you are applying Update 10 without applying Update 8, follow the Post Installation steps mentioned for Update 8.

Note: If you are already on Update 8, you can apply Update 10 without performing any intermediary steps.


If you are updating via ColdFusion Administrator:

The minimum update versions are Update 4 or higher for ColdFusion (2018 release), due to a recent change in code signing certificate.

These are mandatory pre-requisites before updating.

The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.

To install previous updates, see ColdFusion (2018 release) Updates.

What's new and changed

ColdFusion (2018 release) Update 11 (release date, 22 March, 2021) addresses vulnerabilities that are mentioned in the security bulletin, APSB21-16, and a few other issues.

In addition, we’ve introduced support for RHEL 8.3, WildFly 23, Tomcat 9.0.43, PostgreSQL 13, Oracle 19c (2018), and MS SQL Server 2019.

Bugs fixed

Bug ID Description Component
CF-4209577 Datasource deleted when clicking on "Cancel" of delete confirmation popup. Administrator
CF-4206324 Unable to access the ColdFusion administrator using a hyperlink after applying ColdFusion 2018 Update 5. Administrator : Administrator Console
CF-4205373 False positive for missing CFPDFParam source attribute. Administrator : Code Analyzer
CF-4205372 False Positive for CFCollection "path" Attribute on Code Analyzer. Administrator : Code Analyzer
CF-4207245 Recent update to cfajax.js uses defineProperty method which is not available in IE 11 document mode 5. AJAX
CF-4206044 The Richtext editor does not display as expected. AJAX : UI Components
CF-4205063 ColdFusion.Window.create with initshow=false causes a JavaScript error. AJAX : UI Components
CF-4204493 cfwindow and cfform does not work as expected after applying Update. AJAX : UI Components
CF-4211186 Intermittent NULL Pointer Exception in caching. Caching
CF-4210052 Redis Caching - end of stream error when caching queries and structures. Caching
CF-4204989 Clear folder specific template cache does not work as expected. Caching : General
CF-4202859 ColdFusion uses unsynchronized WeakHashMap in Remote Method Invocation during cache replication.  Caching : General
CF-4205050 An exception occurs when submitting a form with CFGRID. CFForm : HTML
CF-4201599 There is an issue with cfchart. Charting/Graphing
CF-4204356 URL not working on client-side CFCHART Charting/Graphing : Client
CF-4209142 There is a bug in CFChart type=JPG url attribute..
Charting/Graphing : Server
CF-4205181 The Server side charting does not work as expected on a few OS.
Charting/Graphing : Server
CF-4205335 ColdFusion (2018 release) Docker images does not work as expected when using CLI command. Containers: CF Docker Image
CF-4204706 ColdFusion (2018 release) Docker issues.
Containers: CF Docker Image
CF-4207294 UndefinedElementException in Unreachable Code. Core Runtime
CF-4205210 java.lang.VerifyError for code construct within CFC/try-catch (<cfreturn anyFunction({})>). Core Runtime : Parser/Compiler
CF-4209859 Session Replication broken as of Hotfix 8. Core Runtime : Session Management
CF-4207024 CF2016 and CF2018 support for Oracle 19c Database. Database
CF-4210952 Oracle/MSSQL Driver Affected by Proxy Settings in JVM Arguments. Database : Oracle
CF-4209891 User Logged Out Error. Database : Oracle
CF-4207962 "first" and "last" are reserved keywords when used in a Query-of-Queries. Database : Query-of-Query(IMQ)
CF-4204866 CFDump Loss of Formatting. Debugging : CFDump
CF-4204413 CFDump is missing CSS and JavaScript when output is set to false. Debugging : CFDump
CF-4205366 SpreadsheetAddRows throws java.lang.ArrayStoreException when 2d array contains mixed value types. Document Management : Office Integration
CF-4204280 PDF Bug / Inconsistent Rendersing. Document Management : PDF Form
CF-4206454 Throws error when using 'word-break: break-all;' used inside <cfdocument> tag. Document Management : PDF generation
CF-4205907 When converting text to html, if invalid URL in text, cfdocument hangs. Document Management : PDF generation
CF-4198342 cfdocument timeout. Document Management : PDF generation
CF-4206253 SpreadsheetFormatCell does not support underline. Document Management : Spreadsheet
CF-4211081 Uncompressed contents cross maximum permissible size - varies. File Management : CFZip
CF-4207423 File with colon in name has issues DirectoryList() and DirectoryDelete(). File Management : VFS-RAM
CF-4204901 Cannot Perform File Operations Between VFS (RAM) AND S3. File Management : VFS-S3
CF-4207069 Slow startup time in CF2018 update 6 and above. General Server
CF-4204857 The June 2019 updates of CF 2018, 2016, and 11 blocks upload of files with no extension.
General Server
CF-4207690 ArraySort() callback chokes on large numbers returned Language
CF-4207473 Unexpected result when setting inline struct inside function call that's inside a CFIF/CFELSE that's inside a CFOUTPUT query loop Language
CF-4209576 Error assigning UDF as single-expression arrow function Language
CF-4208310 Elvis Operator is not thread safe Language
CF-4208572 Validation is occurring for variable inside Language
CF-4206046 UDF instances are not thread safe to execute in separate threads Language
CF-4204292 ReplaceNoCase doesn't properly handle 2-byte characters (emojis) Language
CF-4204882 Argument is not treated as a struct by Query functions Language
CF-4206045 Closure instances are not thread safe to execute in separate threads Language
CF-4204992 Safe Navigation errors if key is a "reserved keyword" Language
CF-4206403 Certain syntax breaks the interpreter (compiler) Language : Application Framework
CF-4211056 Default sameformfieldsasarray value Language : Application Framework : ApplicationCFC
CF-4205918 sameFormFieldsAsArray incorrectly deserializes form values containing commas Language : Application Framework : PerAppSettings
CF-4206329 After installing Update 13, component initialization fails Language : CF Component
CF-4207025 Application.cfc will not recursively resolve cfincludes Language : CF Component
CF-4204865 CFComponent extends path is caching Language : CF Component
CF-4207397 Race Condition (for in loop + single statement + struct notation) Language : CFSCRIPT
CF-4205758 Array slice syntax  does not compile when used in an inner function Language : Closures
CF-4197194 nested arrayEach parent execution context scoping issue Language : Closures
CF-4204632 Invalid Set-Cookie Header Date Format Language : Cookie
CF-4208948 Code Errors When comparing an identical time stamp Language : Expressions
CF-4210924 Undocumented _format() appears to be a proxy of dateTimeFormat() Language : Functions
CF-4206955 'null' returned from function always returning an array Language : Functions
CF-4210721 IsValid Email Incorrectly Returns True for Invalid Email Addresses Language : Functions
CF-4210722 Specific String of characters causes getSafeHTML function to error without error flag on Language : Functions
CF-4205212 ArgumentCollection accepts array in invoke()/cfinvoke but not direct method calls. Language : Functions
CF-4205911 'null' passes typed array validation even with null support disabled Language : Functions
CF-4203844 ListDeleteAt remove last symbol instead of entire delimiter. CF 2018 Language : Functions
CF-4211048 No Increment of the index in cfloop Language : List Functions
CF-4204007 DecodeFromURL does not decode %2B as + Language : String Functions
CF-4205209 java.lang.VerifyError thrown for a specific code construct within a CFC Language : Tags
CF-4204516 isValid("email") and isValid("url") treat Unicode Domain Differently Language : Validation
CF-4205377 Caught CFLDAP exception shows up in exception.log Net Protocols : LDAP
CF-4203461 CfScript ORM mapping annotation for param/sequence does not work ORM Support
CF-4204880 Dateformat() performs poorly under load due to internal NumberFormatExceptions Performance
CF-4206777 Performance Monitoring Toolset - Unresponsive alert thresholds incorrect PMT
CF-4207758 PMT failed to start the service from Windows service manager after adding 170+ instances. PMT
CF-4208156 [PMT Group]  CF node is exhibiting an unexpected behavior if it is added to a group that has a space in its name(group name). PMT : Grouping
CF-4210932 In PMT, CPU Usage/ Process Memory data is not coming on Solaris platform PMT : Non-Request Metrics
CF-4205607 [PMT Alerts] Receiver email address field does not accept comma-separated email addresses PMT : Settings
CF-4210933 Update workflow support in PMT 2018 PMT : Update Workflow
CF-4210060 Trusted Cache Breaks REST Service REST Services
CF-4202597 Per-app mappings don't exist in REST CFCs REST Services
CF-4208840 When editing a scheduled task in CF Admin, the start defaults to today's date even when it was set to something on creation Scheduler
CF-4203917 ColdFusion 2018 flags erroneous warnings for properties in server.xml Web Container (Tomcat)
CF-4210569 Invalid warnings in coldfusion-error.log about protocol attribute of Tomcat HTTP and AJP connectors Web Container (Tomcat)
CF-4206375 SSL Peer Unverified Exception with Wildcard Certificate Web Services
CF-4207558 cfinvoke fails when calling service with returnType of "any". Web Services : Axis 2
CF-4199597 WebSocket messages sent to client are truncated at semicolons. Web Socket : WebSocket Proxy

Known issues

  • After installing Update 11, in a CFML code, the Elvis operator isn't working as expected. As a workaround, clear the template cache and refresh the classes.


  1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
  2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
    • http.proxyHost
    • http.proxyPort
    • http.proxyUser
    • http.proxyPassword
  3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.


For instructions on how to install this update, see Server Update section. For any questions related to updates, see this FAQ

  • The update can be installed from the Administrator of a ColdFusion instance or through the command-line option.
  • Windows users can launch the ColdFusion Administrator using Start > All Programs > Adobe > Coldfusion 2018 > Administrator.
  • Windows 10, Windows Server R2 2012, and Windows Server 2019 users must use the “Run as Administrator” option to launch wsconfig tool at {cf_install_home}/{instance_name}/runtime/bin.
  • If you get the following error when installing the update using the Download and Install option, ensure that the folder {cf_install_home}/{instance_name}/hf_updates has write permission: "An error occurred when performing a file operation write on file {cf_install_home}/{instance_name}/hf-updates/".
  • The connector configuration files are backed up at {cf_install_home}/config/wsconfig/backup. Add back any custom changes made to the file after reconfiguring the connector.

Installing the update manually

  1. Click the link to download the JAR.
  2. Execute the following command on the downloaded JAR. You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

    Windows: <cf_root>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-011-326016.jar

    Linux-based platforms: <cf_root>/jre/bin/java -jar <jar-file-dir>/hotfix-011-326016.jar

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers.

For further details on how to manually update the application, see the help article.

Post installation


After applying this update, the ColdFusion build number should be 2018,0,11,326016.

Post installation, we recommend rebuilding or reconfiguring your connector.

Note: This holds true only if you have applied Update 11 without applying Update 8.

If you see Error 503 or Error 403 when firing up your websites, see the troubleshooting steps.


To uninstall the update, perform one of the following:

  • In ColdFusion Administrator, click Uninstall in Server Update Updates Installed Updates.
  • Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2018-00011-326016/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

  1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
  2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2018-00011-326016}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration

2018 Update Connector recreation required
Update 11 Yes
Update 10 Yes
Update 9 Yes
Update 8 Yes
Update 7 No
Update 6 Yes
Update 5 Yes
Update 4 No
Update 3 No
Update 2 Yes
Update 1 Yes