Stump the Chump - Applying JRun Updaters to ColdFusion

This post is more than 2 years old.

From time to time I get questions I can't answer (ok, a lot of times) and I like to share them when I'm interested in the question/answer as well. In order to 'flag' it a bit better for my readers, I'm going to try to remember to prefix the title with "Stump the Chump". This is based on something my buddy Robi Sen told me ages ago. Apparently it's a game you play with a presenter when you just know he is talking about something he doesn't truly understand. As a presenter, that sounds evil. As a person who has attended a few boring presentations in the past - it sounds fun as heck. Anyway, on to the question. Paul asks:

I have a (possibly) simple question: if you have multi-server installation of ColdFusion MX 7, updated to the latest cumulative hotfix, should you apply any JRun updaters?

We are mainly concerned with security risks. A up-to-date version of CF7 already has JRun Updater 5 applied. Updaters 6 & 7 mention 'security fixes' in their generic summaries, but I don't know if there's anything in them that actually applies to ColdFusion. There doesn't appear to be any recommendation from Adobe about this, and little discussion on blogs and forums, so the general feeling I get is that we shouldn't apply them.

Hopefully my readers know the answer to this. I have minimal experience with JRun. I'm using it now on my Leopard box just to get ColdFusion running, but normally I do the simpler install which hides such things away.

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA

Archived Comments

Comment 1 by Big Mad Kev posted on 1/8/2008 at 12:51 AM

As far as I know Updater 7 is accumulative and thus you can install on any JRun 4 Server.

As for updates for ColdFusion, I think updater 7 is required for CF8.

But by rule of thumb, I tend to update dev, test, qa, staging and then live environments with every update as they come out.

Security on JRun affects CF in that CF is sitting on top of it. If you get what I mean?

Better safe then sorry, all pen testing reports I have seen say patch to the latest level.


Comment 2 by Raul Riera posted on 1/8/2008 at 1:03 AM

Why did you used it for Leopard? runs just fine on mine, I have to manually start it via terminal, but everything runs great from there

Comment 3 by Raymond Camden posted on 1/8/2008 at 1:06 AM

@Rual - I forget why - but I know it isn't supported. It's one of the things mentioned for the next CF update, along with 64 bit support.

Comment 4 by Aaron Longnion posted on 1/8/2008 at 3:43 AM

If you haven't already, look closely at the release notes in and

If any of the fixes/enhancements are important to your environment, then you should put together a plan to apply the updater and then regression test your applications (especially look for issues where the updater had made changes that could affect your particular app). Next, as Big Mad points out, it's best to test in dev and staging/test for at least a few weeks before deploying to production. Best wishes!