"ESAPI.properties could not be loaded in any way. Error." calling "Failed to initialize class coldfusion.security.ESAPIUtils"

I have two servers — one production and one development — running ColdFusion 9.0.1 on IIS 7.5 on Windows Server 2008 R2. The two are configured the same way. We have a temporary problem when, after a few weeks or months of unprecedented uptime, some parts of the site (in particular, the CFIDE admin portal and any page with the cfwindow tag) will start throwing "Failed to initialize class errors coldfusion.security.ESAPIUtils" into logs.

Based on some recommendations, I uninstalled and reinstalled all the hot fixes several months ago, five times checking that I was applying them in the correct order and following the correct set of instructions.

This did not fix, but when I was combing the log files, I noticed that another error appeared in the logs related to ESAPI ("ESAPI.properties could not be loaded in any way. Fail."). Restart jRun. I tried adding the following declaration to java.args in jvm.config :

 -Dorg.owasp.esapi.resources=E:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib 

The problem seems to be fixed within a few months; no errors, everything works fine. Then, yesterday, the production server launched the errors again. I tried restarting JRun and restarting the server and the error persists. The development server works fine.

I tried to create a script that simply creates an instance of ESAPIUtils and cfdumps. On dev, it resets metadata about the object; an error occurs on page production.

I am struggling with this problem and have been going on for almost a year. Sometimes it resolves after a few days, sometimes it lasts several weeks. I have yet to figure out a way to “invoke” the condition, so we are stuck with unverified “fixes” that seem to work for a while and then not.

This seems completely tangential, but we had instances in which the built-in function IsImageFile() returns false for valid images. It seems that the weirdness of IsImageFile () begins a little earlier than the madness “Failed to initialize class coldfusion.security.ESAPIUtils”.

The following are server versions:

 ColdFusion Version: 9,0,1,274733 Operating System: Windows Server 2008 R2 amd64 6.1 Web Server Software: Microsoft-IIS/7.5 Java JVM: 1.8.0_05 Oracle Corporation JEE Server: JRun/4.0 Security Hotfixes (9.0.1): APSB13-27, APSB13-19, APSB13-13, APSB13-10, ColdFusion 9.0.1 Cumulative Hotfix 4 (APSB13-03, APSB12-26, APSB12-21, APSB12-06, APSB11-29, APSB11-14, APSB11-04, APSB10-18), ColdFusion 9.0.1 Cumulative Hotfix 3, ColdFusion 9.0.1 Cumulative Hotfix 2, ColdFusion 9.0.1 Cumulative Hotfix 1 Connectors: JRun IIS 64 Bit Connector (Build 108858) 

And the stack trace from cfusion-out.log :

 08/27 11:37:52 Error [jrpp-58] - Could not initialize class 08/27 11:37:52 Error [jrpp-58] - Could not initialize class coldfusion.security.ESAPIUtils The specific sequence of files included or processed is: E:\web\cfadmin\webroot\CFIDE\administrator\index.cfm, line: 30 08/27 11:37:52 error ROOT CAUSE: java.lang.NoClassDefFoundError: Could not initialize class coldfusion.security.ESAPIUtils at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:97) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2360) at cflogin2ecfm1599616868.runPage(C:\work\ColdFusion\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\login.cfm:30) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at cfApplication2ecfm1920815415._factor5(C:\work\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm:210) at cfApplication2ecfm1920815415._factor9(C:\work\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm:202) at cfApplication2ecfm1920815415.runPage(C:\work\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm:1) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:297) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:201) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) javax.servlet.ServletException: ROOT CAUSE: java.lang.NoClassDefFoundError: Could not initialize class coldfusion.security.ESAPIUtils at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:97) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2360) at cflogin2ecfm1599616868.runPage(C:\work\ColdFusion\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\login.cfm:30) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2722) at cfApplication2ecfm1920815415._factor5(C:\work\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm:210) at cfApplication2ecfm1920815415._factor9(C:\work\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm:202) at cfApplication2ecfm1920815415.runPage(C:\work\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm:1) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:231) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:416) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:297) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:94) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:201) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:70) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)