Just a quick note to let you know that a security bulletin was just released for ColdFusion. Details below.
(This post is more than 2 years old.)
Security Bulletin for ColdFusion
Support this Content!
If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!
Want to get a copy of every new post? Use the form below to sign up for my newsletter.
Archived Comments
Isn't it about time they worked out an easier patch routine. The instructions on the tech notes make my head hurt ..
"Note: CFIDE.zip and WEB-INF.zip included in the hotfix contains only part of the CFIDE and WEB-INF files. Do not rename present CFIDE or WEB-INF folders to create a backup as per the instructions. "
then later on ...
"Go to {CFIDE-HOME} and make a backup of CFIDE folder."
I agree. I'd love to see updated builds - at least for the latest CF. I'd like one CF901 that had the CHF + Security all rolled in.
Unzipping sub-directories and copying files, you have to be kidding. I did it, but why not an executable installer that did the backups and file copies? I liked the addition of the uploading of the update JAR, but they need to come up with something better for these file updates, very poor.
Did anyone else notice that after the patch was applied that some significant session issues arose?
If you have a directory such as: /somedirectory/ that has an Application.cfm file, then have another directory such as: /somedirectory/child/ that also has an Application.cfm file and both Application.cfm files enable session management (with different application names of course), when you create a session under /somedirectory/child and then open a new window or tab pointing to /somedirectory your session under /somedirectory/child is destroyed.
If you access a site on the same server under /anotherdirectory there are no problems, but session instances in a nested directory structure appear to be overriding one another regardless of application name.
I confirmed this after installing the hotfix on eight different servers. As soon as I rolled-back the hotfix, the problem went away on all eight.
I haven't had a chance to test this Joshua but I've shared it with other Adobe CF ACPs.
We are also experiencing this same problem: all our sites that are relying on more than one application per domain are now completely broken!
It seems unbelievable that nobody at Adobe noticed a bug this big before releasing such an important Security Hotfix...
FYI, Shilpi posted a possible workaround on her blog here:
http://shilpikm.blogspot.co...
The idea is to explicitely create the CFID and CFTOKEN in the directories that are using another cfapplication in order to "scope by path" the session.
I'll give this approach a try and post my findings here soon.
Thanks for posting this Nigauw.
OK, I tried Shilpi's idea and it seems to work now!
I've set up a test where two folders have their own Application.cfc, with the following:
<cfscript>
this.name = "#cgi.path_info#"; //this makes the app name unique
this.applicationTimeout = createTimeSpan(0,1,0,0);
this.clientmanagement= true;
this.loginstorage = "session" ;
this.sessionmanagement = true;
this.sessiontimeout = createTimeSpan(0,1,0,0);
this.setClientCookies = true;
this.setDomainCookies = false;
this.scriptProtect = "all";
</cfscript>
<cffunction name="onSessionStart" output="false">
<cfcookie name="CFID" value="#SESSION.CFID#" domain=".#cgi.http_host#" path="#listDeleteAt(cgi.path_info,listLen(cgi.path_info,'/'),'/')#">
<cfcookie name="CFTOKEN" value="#SESSION.CFTOKEN#" domain=".#cgi.http_host#" path="#listDeleteAt(cgi.path_info,listLen(cgi.path_info,'/'),'/')#">
</cffunction>
When you hit a page in folder_1 and then reload that same page, the SESSION.CFID and SESSION.CFTOKEN remain stable.
The you hit a page in folder_2 and you get a new CFID and CFTOKEN for that second application.
If you go back to folder_1 and reload your page, the original session vars are still there.
So far, so good.
Important note: this ties an application to its root folder: if you try to access the session variables of that application from another folder or from a subfolder, it won't work.
What a mess... This new behavior/bug introduced by the hotfix breaks code that had been running untouched for close to ten years, as well as code written last month.
Does anyone's Server Monitor work after applying this fix? Ours doesn't. It looks like there is also a new option for Monitoring Settings that was added as well, which also errors out.
We've been forced to roll back this hotfix as it's caused too much trouble. Details on Shilip's blog: http://shilpikm.blogspot.co...
The hotfix page http://kb2.adobe.com/cps/89... says it was updated on 2011-2-16. The last modified date for the CF801.zip and CF901.zip files is now 2/16/2011 6:37 PM PST. Does anyone know what changed?
I've asked on a private list if we can get clarification.
We too have rolled back this update because of the session issue. If it wasn't for the comments on this blog, I wouldn't have known what the heck was going on, except that the fix broke my apps. Now my question is: Assuming there is a CF 9.0.2 or something, are these fixes going to be in that, meaning I won't be able to update without implementing the work-around mentioned here for every app on my server? Guess I should start now...
Marc, Ray: any idea if the recently updated modification date means the bug-within-the-corrective-patch has been recognized and fixed?
I've yet to get official word. Sorry.
Official word it was just a minor edit in instructions.
OK, good to know - thanks.
Do you think we can assume that the problem is acknowledged and someone's working on it?
No - you need to ensure you log a bug and if you have a support plan I'd call it in. Be the squeaky wheel.
Although wait - it looks to me like this was a session fixation issue and it is fixed now. I can see how it breaks apps - but if it closes up a security hole then isn't it better it is fixed?
@Ray, not if it means our users can't log in because the fix is causing their sessions (CFID/TOKENs) to be lost between requests. And yes we have changed to cookies to domain cookies where necessary (not all our domains have multiple apps), and it made no difference: sessions were being intermittently lost. Rolling back the hotfix stopped the problem.
Ok - then best I can suggest is what I said before - raise it with Adobe Support "officially".
You're right, Raymond, should have done so before.
http://cfbugs.adobe.com/cfb...
Oddly, we found that enabling J2EE sessions fixed the session 'n' application name exclusivity issue caused by this patch
We applied the HOTFIX in questions and when NESSUS ran its regular scheduled programming, we receivied an errror. NESSES tried to navigate to: \CFIDE\wizards\common\_logintowizard.cfm page.
The following is a snippt from the error message: Element ESAPIUTILS is undefined in a Java object of type class [Ljava.lang.String;.
The error occurred on line 55.
Anyone else out there with this one?
@Mike: Isn't that a bug you can ignore?
Glad I decided to google ESAPIUTILS, and found this discussion. I got a site-wide exception notice with the same error as Mike Thomas noted. It was on our DMZ server, so it worried me. Even more so when I noticed the cfdump of Error.TagContext that my site-wide handler includes. The first item had ?? as the value for ID, and the path for TEMPLATE is C:\work\ColdFusion\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\styles.cfm:55
There is no c:\work on my server. I would like to know how that could be. In the meantime, I decided to remove the wizards folder altogether. What is it needed for?
I ran the hotfix for v8.01 on my dev machine and everything seems to be working without a problem, but what should the version number be now. On my dev box the version number is 8,0,1,195765. My production box (not updated yet) has the same version number.
I just saw on http://www.petefreitag.com/... that the hotfix has been updated today with fixes and everyone should reapply it! Also Shilpi from the Coldfusion team has posted a blog entry about it http://shilpikm.blogspot.co...
I'm guessing the reason they added the option to completely turn off the fix for Session Fixation is just in case any other unexpected problems show up.
The updated HotFix still doesn't work for us: clients started losing sessions again as soon as we applied it. But using the new JVM switch to turn off the Session Fixation part of the fix did correct it, which means we don't have to roll back the whole HF. But it still means that particular vulnerability is unpatched.
I can also confirm that this problem still exists. Here is the following way I was able to reproduce the problem:
I am using Application.cfm on CF 8 and have the following code in that file:
<cfapplication
...
applicationtimeout="#CreateTimeSpan(2,0,0,0)#"
clientmanagement="false"
sessionmanagement="true"
sessiontimeout="#CreateTimeSpan(0,1,0,0)#"
setclientcookies="false"
setdomaincookies="false"
scriptprotect="URL,CGI,COOKIE">
<!--- set more secure cookie handeling --->
<cfif NOT IsDefined("COOKIE.CFID") OR NOT IsDefined("COOKIE.CFTOKEN")>
<cfheader name="Set-Cookie" value="CFID=#SESSION.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#SESSION.CFTOKEN#;path=/;HTTPOnly">
</cfif>
We do this to protect our session cookies as per: http://www.petefreitag.com/...
When i persons session times-out, I this bug still happens and they can't login without having to delete their cookies from their browser.
-J
To follow up on my previous post, It appears that it works fine if you have clientcookies=true, but of you set that yo false and manually set the CFIF and CFTOKEN cookies, then thats where there are issues.
Hi Jay,
This is because of the following -
1. You have set setClientCookies=false
2. In the code to set Cookies, you have following condition -
<cfif NOT IsDefined("COOKIE.CFID") OR NOT IsDefined("COOKIE.CFTOKEN")>
Now if users don't delete the old cookies and with the above condition, old Cookie value will always be found and if ColdFusion does not find an active session for this request, it will start a new one. However these new values are never set to Cookies.
You can probably change the check before settings the cookies to match the value from Cookie and Session. If the values don't match, then you reset the cookie as well.
Hope this helps.
Shilpi
ColdFusion Team
Happy to report we've identified the problem and the Hotfix is now working for us. In a nutshell: CF will no longer use existing CFID/CFTOKEN cookies when creating new sessions.
I've written up the problem and solution at http://cfsimplicity.com/4/c...
We are getting the following when trying to get to the cfadmin url. this is on CF 8.0. We've reapplied the hot fix, and it was the the most recent. Any insight into how to get this fixed? Getting the same issue on certain sites when trying to login to secured areas.
java.lang.NoClassDefFoundError: Could not initialize class coldfusion.security.ESAPIUtils
@Michael Kane - were you able to find a fix for your cf9 box?
Ryan, I have not learned much more about the ESAPIUtils error, or why my server said it came from a template in a path that has never existed on that server. But it was more or less moot, because I removed the wizards folder altogether. I haven't found out what that folder is needed for, either. But it seems unnecessary and undesirable to have on a production server.
I am attempting to run the 8.0.1 updater for my Cf installation.
After the update (multiserver) occurs, websites seem to work fine, but I am unable to get to the cf administrator interface.
Just a blank screen shows up.
When I view source on the blank page, I see this root cause listed: applet error.
Element ESAPIUTILS is undefined in a Java object of type class
If anyone has any assistance they can offer, please let me know. I need to get this update and subsequent hot fixes in place before 8/19 (pci check).
The 8.0.0 security hot fix broke my cfgrid from displaying correctly. Worked great before that.
current update level I'm at:
Update Level /C:/JRun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/updates/hf800-00002.jar
Lisa - don't have a solution for you - you try Adobe support yet?
Yes, posted there also, waiting on some type of response.
As several people posted here, the documentation is lacking a bit. Would be nice if they would just create an upgrade file that really did the upgrade.
I have a cf8 installation, but see at this post, http://www.forta.com/blog/i...,
that even on cf9 installations, the hot fixes busted up the admin interface.
thanks for the response.
As has been announced, future versions of ColdFusion is going to make this a LOT easier.
I have the same problem. This security update has totally broken the admin interface on a vanilla CF 8.0.1 install.
java.lang.ClassNotFoundException: coldfusion.security.ESAPIUtils
Thanks ray, but future versions cost upgrade money and unfortunately, in this economy, we're not spending that amount of money.
Really, adobe should fix this with these 2 existing versions since they have downloads for them.
The only reason I am trying to do the upgrade is for security fixes. The last one I applied for 8.0.0 broke by cfgrid cfcs.
This fix is in the 8.0.1 hotfix 1, which I cannot apply to an 8.0.0 installation.
@Lisa: I do agree, it could be better. Just saying it's (eventually) going to get there.
Count me in as another poor fool trusting this hotfix.
"ESAPIUTILS is undefined in a Java object" etc., breaking the cf admin interface.
Hi Lisa,Paul,James,
Can you please confirm at what location the hf jar is placed and also in "<cfserver-home>/lib/updates" which all files are present?
We at not seeing this error at our end.
Thanks & Regards,
Shilpi
@Shilpi:
It appears to have resulted from installing multiple hotfixes in an incorrect order. Specifically, installing the hf801-1878.jar or hf801-1875.jar _after_ the hf801-00002.jar had already been installed.
I was doing a wave of hotfixes this week for a PCI compliance process, and it wasn't immediately obvious to me that there was an order dependency. Once I had a chance to think about it a bit more, it seemed relatively obvious that there was a conflict between updates; additional evidence was provided when I re-read the release notes for hf801-00002 and noticed the list of jars to remove.
I think hf801-1875.jar should probably be added to that list of jars to remove, although I didn't absolutely confirm it; I've done enough experimenting in that environment for this week.
Thanks!
Thanks a lot for confirming James. We will verify this on our end.
I applied Hofix 2 for coldfusion 9.0.1 and am receiving the "Class not found: coldfusion.security.ESAPIUtils" error when trying to launch CF administrator. It appears coldfusion itself is working...but I can't launch the cf administrator. Any ideas? I've rolled back and reinstalled 3 times with the same results each time. Thanks!
I thought this had been corrected. Your quickest bet is to call Support. I'm checking internally. I see a set of comments from folks when this first came out, which is why I thought it had been corrected already.
Teresa, actually, look at the comments above from James. That could be it.
Ray, I wish there was more clarity about the hotfixes. Actually, make that the entire install/update process. I upgraded a production CF 8 server a few days ago, and had major problems. It seems that Hotfix 2 broke the install. I had to completely uninstall CF, then install 9.0.0, update to 9.0.1, and left it there until I get time to figure out the problem.
Argh! User error!!! I thought I was working in CF 9.0.1 but as it turns out my version was CF 9.0. The sad part is I even looked at the version in cf admin. I guess my brain expected to see 9.0.1.
No disaster here!
--Teresa
Same problem here with losing access to the Administrator after simple upgrade to 8.0.1 from Coldfusion 8. Coldfusion pages are still loading and working nicely. Has anyone solved this yet? The only hotfix I have applied is hf800-00002.jar which was applied prior to the upgrade. Thanks!
We have a multi-instance server with this issue happening occasionally. When the ESAPIUtils error occurs it seems that stopping any running instances and waiting for 10-20 seconds after the instances are stopped, then starting them resolves this issue, however temporarily. I've opened a case with Adobe Support, I hope our temp solution helps someone.
I had the same CF Admin blank screen and in the console found that I had the "Element ESAPIUTILS is undefined" error.
Before this 9.0.1 updater we also had this problem. Someone had fouled up the hotfixes from 9.0 and I reapplied them in the correct order and it was fixed.
After the 9.0.1 updater, the problem resurfaced. So I applied ColdFusion 9.0.1 Cumulative Hotfix 2 (CHF2).
Note that you can skip steps 2-5 in the hotfix instructions and just drop the hotfix jar file directly into {ColdFusion-Home}/lib/updates folder. If you have the admin blank screen problem, you don't really have a choice.
Just updated CF9 multiserver to CF9.0.1 and then applied Hotfix 2. Pretty sure I did it in the right order, but now like other users, my CF Administrator shows just a blank screen. Unlike other users, viewing the source of the page shows nothing. One thing I didn't do though, I didn't restart CF before applying the Hotfix, since I knew I needed both I just downloaded and applied them one after the other then followed the rest of the instructions in the Hotfix text.
I've tried deleting the jar from the updates folder as suggested, but it hasn't done anything that I can see. Any suggestions would be appreciated.
Viewed the response headers in Firebug, it shows 500 Instantiation Exception. So it looks like it might be the same thing. I'll keep trying
@Mike Do you have any other files in the updates folder? If so provide that list, if not then I would suggest trying to re-apply the hotfix step-by-step.
Hi Jon, apart from the patch file from hotfix #2, I have the ColdFusion_update_901_WWEJ_linux64.bin file from the update to 9.0.1. I've identified the error to being the "missing" ESAPI class. I added [cf_root]/lib to the class paths in jvm.config, thinking that might have been it, but it still throws the error. I did notice that the esapi jar file ends with _rc10.jar, which means to me that it's a release candidate and not the final file. Is it possible that that file needs to be renamed?
Thanks for the feedback
Mike
I have updated 1 of 4 Cold Fusion 9.0.1 servers and now I have a blank administrator page. other .cfm's will work but the administrator/index.cfm page will not work. I am getting a blank screen instead of a login screen. In the application.log I'm getting Element ESAPIUTILS is undefined in a java object
Just want to throw out a lifeline to all the people reporting that things broke once they applied one of the hotfixes (notice that different people are reporting the same or different problems after applying different hotfixes).
In my experience (providing CF support to folks as an independent consultant), most such problems are caused by one of 3 mistakes that can be easily made while applying hotfixes. I don't say this to embarrass anyone, but just to say it's not hard to make the mistakes.
I discuss them in more detail here: http://www.carehart.org/blo...
But certainly if anyone has a different solution they may have found to resolve the problems, many will certainly want to hear.
Hope that's helpful.
I recently applied CF 9.0.1 Update 4 and this issue started to bite my neck. I thought it was a bug introduced by Adobe, but apparently it is a feature.
Be aware that if you mix client and session variables in the same app and "protectfixation" is ON, you lose client variables (because ColdFusion server reissues new CFID and CFTOKEN), which otherwise you believe will stay there forever.
Thanks.
Alex.