Twitter: raymondcamden

Address: Lafayette, LA, USA

New ColdFusion Security Bulletin

05-11-2010 3,415 views ColdFusion 10 Comments

Just a quick note to let folks know about a new ColdFusion Security Bulletin: Security update: Hotfixes available for ColdFusion. See the link for more details. This update covers ColdFusion 8 and higher and impacts all operating systems.


These comments will soon be imported into Disqus. To add a comment, use Disqus above.
  • Commented on 05-12-2010 at 3:51 AM
    We just applied the 8.01 HF to 2 different dev machines and after restarting CF <cfquery> could no longer connect to any datasources (errored with datasource exceptions). Verifying all dsns in the CF Admin worked ok though.
  • Commented on 05-12-2010 at 5:37 AM
    Your best bet is to contact Adobe support. Sorry I can't help more.
  • Commented on 05-12-2010 at 5:46 AM
    Thanks Raymond, but I wasn't expecting help. Just commenting in case anyone else has a similar issue, and warning people to test first before applying to production servers.
  • Commented on 05-12-2010 at 5:47 AM
    Don't you know - I feel guilty if I don't answer every comment here. ;)
  • Yaron #
    Commented on 05-12-2010 at 7:53 AM
    Same thing happened to our server. All you have to do is take down the cf service, remove the shf8010001.jar file from your updates dir (?:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\updates) and restart. Adobe? WTF? People! Always test updates on dev servers first.
  • Commented on 05-12-2010 at 9:22 AM
    I just tried it on our development 8.0 server and nothing broke.

    What server versions did break? I have an 8.0.1 production server and you guys are making me nervous.

    Are there any details on what is vulnerable? Is it just the login.cfm files in CFIDE that the fix replaces? If so those are not public facing on my production server so i may skip the update.
  • James #
    Commented on 05-12-2010 at 9:36 AM
    Posts on Facebook say that Adobe is looking into the problem.
  • Yaron #
    Commented on 05-12-2010 at 12:37 PM
    Version: 8,0,1,195765
    Edition: Enterprise
  • Paul Karlin #
    Commented on 05-12-2010 at 12:51 PM
    Same problem here with 8.0.1 -- we're uninstalling now. At least we only deployed to testing first!
  • Josh #
    Commented on 05-13-2010 at 10:32 AM
    The fix for the hotfix is out.