New ColdFusion Security Bulletin

This post is more than 2 years old.

Just a quick note to let folks know about a new ColdFusion Security Bulletin: Security update: Hotfixes available for ColdFusion. See the link for more details. This update covers ColdFusion 8 and higher and impacts all operating systems.

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Archived Comments

Comment 1 by Julian Halliwell posted on 5/12/2010 at 12:51 PM

We just applied the 8.01 HF to 2 different dev machines and after restarting CF <cfquery> could no longer connect to any datasources (errored with datasource exceptions). Verifying all dsns in the CF Admin worked ok though.

Comment 2 by Raymond Camden posted on 5/12/2010 at 2:37 PM

Your best bet is to contact Adobe support. Sorry I can't help more.

Comment 3 by Julian Halliwell posted on 5/12/2010 at 2:46 PM

Thanks Raymond, but I wasn't expecting help. Just commenting in case anyone else has a similar issue, and warning people to test first before applying to production servers.

Comment 4 by Raymond Camden posted on 5/12/2010 at 2:47 PM

Don't you know - I feel guilty if I don't answer _every_ comment here. ;)

Comment 5 by Yaron posted on 5/12/2010 at 4:53 PM

Same thing happened to our server. All you have to do is take down the cf service, remove the shf8010001.jar file from your updates dir (?:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\updates) and restart. Adobe? WTF? People! Always test updates on dev servers first.

Comment 6 by Chad posted on 5/12/2010 at 6:22 PM

I just tried it on our development 8.0 server and nothing broke.

What server versions did break? I have an 8.0.1 production server and you guys are making me nervous.

Are there any details on what is vulnerable? Is it just the login.cfm files in CFIDE that the fix replaces? If so those are not public facing on my production server so i may skip the update.

Comment 7 by James posted on 5/12/2010 at 6:36 PM

Posts on Facebook say that Adobe is looking into the problem.

Comment 8 by Yaron posted on 5/12/2010 at 9:37 PM

Version: 8,0,1,195765
Edition: Enterprise

Comment 9 by Paul Karlin posted on 5/12/2010 at 9:51 PM

Same problem here with 8.0.1 -- we're uninstalling now. At least we only deployed to testing first!

Comment 10 by Josh posted on 5/13/2010 at 7:32 PM

The fix for the hotfix is out.

http://kb2.adobe.com/cps/84...