If you attended, you probably met some of our team out there where we launched FusionAnalytics:

FusionAnalytics is the ultimate ColdFusion Application and server analysis tool. FusionAnalytics is all about “Making IT Better” and giving you the information and data to help you make better business decisions, improve application performance and quality of your applications as well as measure exactly how your applications are performing on a continuous day to day basis.

Shortly before MAX, we’d also released FusionReactor v4 with a massive set of new features including the command-line installer for headless systems, AMF decoding, FRAM (for simplified upgrades & administration) and the awesome detailed heap (and other) memory space monitoring.

FusionAnalytics has received a fantastic response from the community including an unprecedented number of pre-sales. We’re hot on the development with new features such as spider/bot analysis on FusionAnalytics so there’s plenty of great things to come.

We also want you to have your say in what features you’d like to see in the product suite. Vote on some of our ideas or even add your own at our uservoice site – http://fusionreactor.uservoice.com/

Hopefully you’ll all find this a good starting point on how to keep your server monitoring solution secure.

We look forward to meeting you at Scotch on the Rocks (SOTR) this Thursday and Friday – 3/4 March in Edinburgh, Scotland!

SOTR ColdFusion conference brings you current informative content and sessions to enhance, enrich and excite you. The wide range of topics and presentations this year is a reflection of the rapidly progressing and growing area of ColdFusion, and includes related development and wider industry topics, so is also suitable for those in the wider development community.

David Tattersall – Managing Director and David Stockton – Technical Consultant will be there to answer any questions you might have about our products and services. In addition, David Stockton will be giving a session on how to sort out your legacy applications. You can read more about the presentation below.

The road to sanity – sorting out your legacy applications
Thursday 3.March 13:30 – 14:30

We can help make your life easier! With our unique tooling combination of FusionReactor, FusionDebug and the jewel of in the crown FusionAnalytics – we will demonstrate how you can quickly focus on and correct your legacy application stability issues and proactively improve quality, performance and reliability over time.

History

The bug is in the JVM (it has been since ~2001) and so ColdFusion running on Sun JVMs are affected.
Someone out there has obviously made the link between the same issue happening in PHP and brought this issue to light again ( http://bugs.php.net/bug.php?id=53632 ). There’s a Java related discussion happening here: http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/

How to reproduce

To have the bug show, you must call the parseDouble() method of the java.lang.Double class. There are several ways this can happen. Many people are discussing this as a vulnerability that can be executed at the HTTP header level like so:

Accept-Language: en-us;q=2.2250738585072012e-308

However, this requires a call to HttpServletRequest’s getLocale() method, something that isn’t done trivially on a JRun4, CF 9.0.1 instance (even when calling the ColdFusion function “getLocale()”). Thus, to show this problem, you must do something like…

#GetPageContext().getRequest().getLocale()#

… within your ColdFusion page.

From our experience, a more likely attack could be performed with code like this:

<cfparam name="URL.pageNum" default="1" />
<cfparam name="URL.itemsPerPage" default="10" />
<cfquery name="qProducts" datasource="mysql_dsn">
    SELECT * FROM products
    LIMIT #((URL.pageNum-1) * URL.itemsPerPage) + 1# , #URL.pageNum * URL.itemsPerPage#
</cfquery>

The problem here is “URL.pageNum-1“. This calculation causes a call to parseDouble() behind the scenes which means that if the page were called with “page_name.cfm?pageNum=2.2250738585072012e-308” then the thread would hang in an infinite loop.

What doesn’t show the issue?

Note that in this example, “URL.itemsPerPage” could also cause the issue because it is used in the multiplication calculation. If the variable were not used in any calculations but only output, it would not show the issue. This example does NOT show the problem:

<cfset x = 2.2250738585072012e-308 />
<cfoutput>#x#</cfoutput>

What can you do?

Short term

If you have FusionReactor installed and configured with CrashProtection enabled and configured, the threads can be automatically killed by FusionReactor, saving your server from almost certain failure. To do this, enable Crash Protection and configure a “Request Timeout” value and set it to use the “Abort and Notify” strategy. This will cause requests taking longer than this time to quit – even if they are stuck in the infinite loop bug as in this scenario.

For those of you who are wondering, this is NOT the same as the ColdFusion timeout mechanism and so the ColdFusion page timeout alone will not help you in this scenario.

It’s good practice to have FusionReactor installed and Crash Protection enabled because it can save you from a lot of these issues without you needing to do anything.

Long term

I’m sure Oracle/Sun will offer a new update in due course. However, you can also download the “Java SE Floating Point Updater Tool”:
Download: http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater
Read Me: http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html

Further Help

If you’re in need of help updating your JVM and/or patching it then we can offer assistance in this area from as little as $700. The FusionReactor product is available from as little as $179 and contains a wealth of other features – the majority of which are not covered by the ColdFusion Server Monitor – http://www.fusion-reactor.com/fr/ for more information.

Notes

This article refers to JRun4, CF9 installations. The issue is apparent on a wide variety of Java platforms (we offer consulting for most Java environments) and is more prevalent on Tomcat installations (which includes JBoss).

References

Official security alert (CVE-2010-4476): http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

If that wasn’t you and your pager/cell was lit up brighter than the Christmas tree then perhaps you should already be speaking to us! We offer a professional consulting service using Adobe certified engineers with a minimum of 10 years experience. Our engineers are highly skilled and our experience in a wide range scenarios allow us to quickly and accurately diagnose the root cause of server issues. We can handle issues including networking, database, web-server, application server and code-level plus a lot more. So if you’re in need of help then get in touch now – http://www.cfconsultant.com/contact/

If you’re sitting feeling smug right now then that’s great news! Equally, you want to be the happy one next holiday break so why not take a server review service from us. Our server reviews typically cover a range of areas including CF configuration, JVM configuration, OS optimizations and page performance including JDBC breakdown.
Your issues will be classified by and marked by severity allowing simple prioritization. We can additionally include plans to resolve any problems found including time-estimates. This service is typically provided remotely and duration/cost will depend on the complexity of your platform. Get in contact with us now to secure a quote – and your servers future!

http://www.cfconsultant.com/contact/

Through a combination of factors – including our geographically distributed team – we can still offer consulting services over the holiday season.

Having said that, those with a pro-active attitude can save themselves some money, time and stress with some simple tips:

• Plan
  • It sounds obvious but releasing code on at 5pm Christmas Eve is probably asking for trouble!
• Test
  • Make sure you’re testing your code – from unit testing to load testing, the tools to help are available for a reason.
• Monitor
  • Keeping an eye on your server is one thing, but if you don’t react then you could be in big trouble.
  • Using a tool like FusionReactor ( http://www.fusion-reactor.com ) can help identify issues before they become a problem.
  • FusionReactor has several features that can help you work pro-actively even when un-attended. Setting up good crash-protection settings can keep you alerted via email or even react to prevent your server failing in the first place.
• When all hope is lost…
  • Sometimes, bad things happen. If your application server fails, you don’t want your users to have to wait 3 days for someone to restart a service. FusionReactor Enterprise edition has a feature called “Enterprise Scripting”. This lets you configure scripts to run when a service fails to respond within given parameters. For example, if your server is polled every 5seconds and fails to respond to 5 polls in a row, you may want to restart the service. What’s more, FusionReactor includes the scripts to do just that – even from a remote machine requiring authentication. Just look inside the <FusionReactor Installation Direction>\etc\cp\ folder where you’ll find a bunch of scripts for *nix and Windows environments along with a helpful Readme.txt – or you can refer to the online help.
  • With prices starting from less than $0.50/day there’s no reason any server should be lonely without FusionReactor this holiday season!

Have a great holiday and we look forward to seeing you in 2011 with our new “jewel in the crown” to the Fusion product suite, FusionAnalytics!

We left off last week just after I had installed the FusionDebug plug-in to Eclipse. I was surprised at how quick it was to install FusionDebug.  Within just a few minutes I was ready to debug my CFML application on a ColdFusion 9 developer server.

At the start of this week, I was issued a new project to create a ColdFusion application that interacts with the Harvest time tracking software. Harvest provides an API that is well documented for PHP, Ruby, Pearl etc. but not for ColdFusion!  All that is provided is a simple URL based API that returns XML data once a request has been made.  I know I can use CFHTTP to send the request, but the structure of the XML returned is a mystery.

I began my investigation by using the built-in debugging feature <CFDUMP>. By passing the parsed XML to CFDUMP it presents you with the XML structure and the data within it, this is what I got.



I am a web developer; I like to see my XML looking like XML. I don’t want to see a formatted table, I want to see raw XML so I can easily use the data.

I thought about how I could get the raw XML. I didn’t want to write anymore CFML code.  As readers from last week will know, I am new to CFML and still learning, so I don’t feel confident creating code to print out this XML to the screen. It also seems like a waste of time as the application does not require the raw XML to be printed to the screen. So, I fire up FusionDebug.

I discovered this by accident, but I am glad I did! By pausing the application just after you make the CFHTTP query you can actually see all the elements that the request returns! You can see in the image below where I positioned my breakpoint.

As soon as the breakpoint is hit in the code, FusionDebug displays all the variables currently set. When you make a CFHTTP request this creates a variable called CFHHTP.  CFHHTP contains information about the request that has been made, including “Filecontent”. This is where the raw XML I was looking for is stored. Below you can see that by selecting “Filecontent” Eclipse displays the XML that was returned.

Now I know the exact structure of the XML without any ColdFusion formatting making things hard to read. FusionDebug has proven itself to me as a learning tool. I can use FusionDebug to work with API data I don’t understand. It helped me to learn how the XML data was structured and how I can use that to perform my required tasks. Over the last week I have used FusionDebug on several occasions.

Next week I will discuss some even more inventive ways of using FusionDebug to make life as a CFML developer easier.

Twitter: http://twitter.com/FusionDebug
Facebook: http://on.fb.me/cvYlCp
Youtube: http://www.youtube.com/fusiondebug

As the new web guy here at Intergral it is my job to maintain our public sites as well as our internal system known as FusionOrders.  Our system is written in ColdFusion, so the Team recommended that I install and use FusionDebug.  I have never used a code debugger, why would I need one?! We are all super coders, we don’t need such things!

Over the next few weeks I will be installing, using and learning why I need a CFML step debugger. At the same time I will be evaluating the FusionDebug user experience.  If I can’t find the information online, you can’t either!  Difference is I have access to do what I like to the website. If the process is not fluid, I’m going to change it!

Today I took some time to install and configure FusionDebug with Eclipse, this is the primary IDE used here at Intergral to develop our products.
As you may or may not know, there are a two ways you can install FusionDebug.  I tried both – and immediately became a fan of installing FusionDebug by using the Eclipse plug-in manager – which I will explain below.  For our next version release (coming soon!), I have recommended we provide this download option as the primary way to download and install FusionDebug. I will remove the complete IDE installer as I found it confusing.

Step by Step as I Install FusionDebug

I boot up Eclipse after installing it and begin to read, to find that the installation instructions on the FusionDebug website are not updated for the latest version of Eclipse. These instructions will soon be updated on the FusionDebug website!
After spending a few moments trying to figure out what is going on, I finally work out that the new version of Eclipse has a new name for the plug-in manger.  I added the FusionDebug update site to my new package installer interface and hit next, everything went great. FusionDebug is now installed and ready to go!
The installation of FusionDebug using the Eclipse Update Site is really simple; it takes less than 5minutes

Next week I’ll give you some insight into what I think after my first week of CFML step debugging.

Let me know what you think!

Do you find the FusionDebug install easy or challenging? Let me know on Twitter, Facebook or just reply to this post.

Twitter: http://twitter.com/FusionDebug
Facebook: http://on.fb.me/cvYlCp
Youtube: http://www.youtube.com/fusiondebug

One of our products at this time (used by some of the worlds largest corporations – HP, Philips, etc) was called “Tornado” – this evolved into a product called ShareDox ( http://www.sharedox.com ). The product is a knowledge management solution built on ColdFusion technology.

At the time there were no monitoring tools and thus this led to the now leading monitoring solution – FusionReactor ( http://www.fusion-reactor.com ). So, during the upgrade process to CFMX 6.1 with one of our customers, we started seeing huge CPU usage, hanging threads and various other nasties. At the time this was all quite serious and a major thorn in our sides. Eventually (I believe with some help from our CTO but don’t quote me on that – this was several years ago!) this got resolved and all was calm again. Until today!

Fast-forward 6 years, a move to JIRA and some changes in our business focus – ie our old tracking system is just a distant memory. I started working with a client and getting very distinct feelings of de-ja-vu… CFMX6.1, MS-SQL DB, high CPU, multiple failures per day, hanging threads – essentially a whole heap of stability issues.

Now, I knew I’d seen this before. I knew it was something to do with problematic DB drivers. What I couldn’t remember is how to solve the issue. As you can imagine from a company that’s been doing ColdFusion consulting for over ten years that brought back a lot of issues. A little bit of date filtering and some extra keywords and… result #1 of #5 “ColdFusion MX 6.1: Updated DataDirect drivers for 100% CPU utilization and other issues”.

Of course there are many questions here… why is the customer still on CFMX6.1 amongst others. However, my real point is that tracking is your saviour. In a consulting company like ours we’re truly able to assist more rapidly to a huge variety of issues because generally – we’ve seen it all before. It’s very common for us to have identified, resolved and documented the problem you’re having. This allows us to give you the best value for money on your consulting investment.

My next point of praise goes to Macromedia / Adobe for their KB articles. The KB article still exists today - http://kb2.adobe.com/cps/188/tn_18807.html and moreover the driver download link still works. Not that I cared… we’d tracked the two different driver versions, installation & roll-back procedure plus generated an automated updater process for the entire task – all linked to the ticket.

If knowledge is power and the key to results – you want us on your team! For all your consulting needs – whether issues from 2004 or today, we can help, contact us now.

http://kb2.adobe.com/cps/862/cpsid_86263.html

If you’re looking for assistance in keeping your servers up-to-date then our engineers can help you – just get in touch.