Orange is my favorite color

If you manage a ColdFusion 8 or 9 server, you are likely aware of the complete and total train wreck that is applying security updates from Adobe. Not only are directions vague, but on occasion Adobe likes to go back and modify the security update without changing filenames or rev-ing the version number. It can drive a SysOp to insanity.

So seems to be the mental state of David Epler as he has been driven to build the “Unofficial Updater 2“. It is an Ant script on steroids bundled in a JAR that knows how to go out and fetch all of the updates from and apply them to your CF8 or CF9 server installation.

I’m not going to belabor the awesomness; here’s how to get your server up to date in about 5 minutes:

  1. Start by verifying your current security issues, use Pete Freitag’s for a baseline
  2. Backup your /opt/jrun directory (just be safe): tar -cf /opt/jrun4
  3. Download the Unofficial Updater from
  4. Run it: java -jar Unofficial-Updater2.jar text
  5. Tell it where stuff lives in your installation (it knows how to handle Standalone, Jrun Multi-server and EAR/WAR installs)
  6. Wait about 4 minutes for it to finish grabbing everything and install…
  7. Re-run and BOOM! Rest easy, friend.
  8. Proceed to have David Epler’s baby

Please Adobe, please send David a big check so you can take his IP and use it for your next update, mmmm kay?


  1. Jim Priest said:

    on December 21, 2011 at 5:40 am

    NOW you tell me. :)

    I just spent a few hours yesterday updating a fresh local install of CF9…

  2. David Epler said:

    on December 21, 2011 at 7:38 am


    I’m glad that UU2 helped you out. Just to be clear, it will get you most of the way there on the HackMyCF scan. Things like updating the JVM that CF uses to 1.6.0_24+ and locking down CF still need to be done, but at least the headache of applying the updates is gone.

    No need for a baby, a beer will do just fine.

  3. brian said:

    on December 21, 2011 at 11:34 am

    @Jim – I wish I had known too – I have been putting off updating my server for about 4 months because I knew how heinous it was going to be.
    @David – we can handle the lockdown part… thanks!!

  4. Andy K said:

    on December 21, 2011 at 11:54 am

    I recently found David’s UU2 as well and was astounded that:

    1 — nobody had done this before
    and more importantly
    2 — why the heck did Adobe not include this capability long ago???

    I understand that Zeus may have something similar, but if so and until then, hats off to David for one of the most useful CF projects I’ve ever come across!!

{ RSS feed for comments on this post}