- ColdFusion server profiles
- Install ColdFusion
- Configure your system
-
ColdFusion licensing and activation
- About Named User Licensing and Feature Restricted Licensing in ColdFusion
- Glossary of terms in ColdFusion licensing and activation
- Named User License (NUL) in ColdFusion
- Feature Restricted Licensing (FRL)- Isolated in ColdFusion
- Feature Restricted Licensing (FRL)- Online in ColdFusion
- Feature Restricted Licensing (FRL)- Offline in ColdFusion
- Troubleshoot ColdFusion licensing errors
- ColdFusion Licensing and Activation in ColdFusion (2023 release) and earlier
- Install ColdFusion configuration
- Install integrated technologies
- New JVM arguments in 2023 and 2021 updates of ColdFusion
- New JVM arguments in ColdFusion (2025 release)
- CFSetup configuration tool
- Command Line Interface (CLI)
- Central Config Server (CCS) in ColdFusion
- Administer ColdFusion
- Use the ColdFusion administrator
- Data Source Management for ColdFusion
- Connect to web servers
- Deploy ColdFusion applications
- Administer ColdFusion security
- Use multiple server instances
- ColdFusion Administrator API Reference
- Install and configure ColdFusion User Guide
-
Install ColdFusion
- ColdFusion server profiles
- Install ColdFusion
- Configure your system
-
ColdFusion licensing and activation
- About Named User Licensing and Feature Restricted Licensing in ColdFusion
- Glossary of terms in ColdFusion licensing and activation
- Named User License (NUL) in ColdFusion
- Feature Restricted Licensing (FRL)- Isolated in ColdFusion
- Feature Restricted Licensing (FRL)- Online in ColdFusion
- Feature Restricted Licensing (FRL)- Offline in ColdFusion
- Troubleshoot ColdFusion licensing errors
- ColdFusion Licensing and Activation in ColdFusion (2023 release) and earlier
- Install ColdFusion configuration
- Install integrated technologies
Application servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of application server used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file.
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file.
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file.
Note: The steps do not apply on a standalone ColdFusion installation.
ColdFusion (2021 release) Updates
After applying the update, your UUID will be reset. However, if you want to reset the ID on every ColdFusion restart for security reasons, follow the steps:
Add the jvm flag -Dcoldfusion.monitoring.id.reset=true
ColdFusion is unable to handle sFTP connections using newer OpenSSH key algorithms like Ed25519. As a workaround, add the following JVM flags:
- -Dcoldfusion.sftp.enable-ssh-rsa=TRUE to enable the ssh-rsa algorithm. The default value of the flag is FALSE.
- -Dcoldfusion.sftp.fingerprint=md5 to set md5. The default value of the flag is SHA256.
- The default encryption algorithm in ColdFusion changes from CFMX_COMPAT to another algorithm for seven encryption functions.
- Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault =TRUE to make the change. By default, the value is False, if you need to use CFMX_COMPAT.
- The flag - Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion.
Note: The flag is removed in ColdFusion (2025 release). View Deprecations in ColdFusion for more information.
Cfdocument access control issues
Introduced a new JVM flag -Dcfdocument.metahttpequivrefresh.localfile=TRUE. This flag allows you to call the URL or location passed in the HTML meta tag. By default, the value is FALSE.
Any URL passed in the meta tag is, by default, blocked. If you want to use it, use the flag -Dcfdocument.metahttpequivrefresh.localfile=TRUE.
We recommend that to do a sanity check of the url before adding it to the meta tag.
Fetch values from the correct scope
Adding the newly introduced flag, -Dcoldfusion.searchimplicitscopes=true to the jvm arguments.
Changes to cfdocument
By default, ColdFusion will now block all protocols, except HTTP and HTTPS when using <iframe src=" "> in the body of cfdocument.
You can allow other protocols using the -Dcoldfusion.iframe.allowedprotocols JVM argument, as shown below:
-Dcoldfusion.iframe.allowedprotocols=file,ftp
- cfclient is disabled by default. ColdFusion has introduced a flag if you want to enable cfclient: -Dcoldfusion.cfclient.enable=true/false
- Enabling the flag will only allow CFCs to be read. To allow other files to be read, set -Dcoldfusion.cfclient.allowNonCfc=true/false
ColdFusion (2023 release) Updates
After applying the update, your UUID will be reset. However, if you want to reset the ID on every ColdFusion restart for security reasons, add the jvm flag -Dcoldfusion.monitoring.id.reset=true, and restart ColdFusion.
ColdFusion is unable to handle sFTP connections using newer OpenSSH key algorithms like Ed25519. As a workaround, add the following JVM flags:
- -Dcoldfusion.sftp.enable-ssh-rsa=TRUE to enable the ssh-rsa algorithm. The default value of the flag is FALSE.
- -Dcoldfusion.sftp.fingerprint=md5 to set md5. The default value of the flag is SHA256.
- The default encryption algorithm in ColdFusion changes from CFMX_COMPAT to another algorithm for seven encryption functions.
- Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault =TRUE to make the change. By default, the value is False, if you need to use CFMX_COMPAT.
- The flag - Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion.
Note: The flag is removed in ColdFusion (2025 release). View Deprecations in ColdFusion for more information.
Cfdocument access control issues
Introduced a new JVM flag -Dcfdocument.metahttpequivrefresh.localfile=TRUE. This flag allows you to call the URL or location passed in the HTML meta tag. By default, the value is FALSE.
Any URL passed in the meta tag is, by default, blocked. If you want to use it, use the flag -Dcfdocument.metahttpequivrefresh.localfile=TRUE.
We recommend that to do a sanity check of the url before adding it to the meta tag.
Fetch values from the correct scope
Adding the newly introduced flag, -Dcoldfusion.searchimplicitscopes=true to the jvm arguments.