Security Bulletin for ColdFusion

coldfusion (This post is more than 2 years old.)

Just a quick note to let you know that a security bulletin was just released for ColdFusion. Details below.

Security update: Hotfix available for ColdFusion

Hire Me!

I'm currently looking for my next role in developer evangelism and advocacy. I have a long history of helping companies work with developers and love to write, create demos, and present at conferences. You can find my resume to learn more and drop me an email (raymondcamden@gmail.com) to reach out.

Support this Content!

If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!

Want to get a copy of every new post? Use the form below to sign up for my newsletter.

Archived Comments

Comment 1 by Saul posted on 2/9/2011 at 1:43 PM

Isn't it about time they worked out an easier patch routine. The instructions on the tech notes make my head hurt ..

"Note: CFIDE.zip and WEB-INF.zip included in the hotfix contains only part of the CFIDE and WEB-INF files. Do not rename present CFIDE or WEB-INF folders to create a backup as per the instructions. "

then later on ...

"Go to {CFIDE-HOME} and make a backup of CFIDE folder."

Comment 2 by Raymond Camden posted on 2/9/2011 at 8:13 PM

I agree. I'd love to see updated builds - at least for the latest CF. I'd like one CF901 that had the CHF + Security all rolled in.

Comment 3 by John Walker posted on 2/9/2011 at 8:25 PM

Unzipping sub-directories and copying files, you have to be kidding. I did it, but why not an executable installer that did the backups and file copies? I liked the addition of the uploading of the update JAR, but they need to come up with something better for these file updates, very poor.

Comment 4 by Joshua Miller posted on 2/10/2011 at 3:57 AM

Did anyone else notice that after the patch was applied that some significant session issues arose?

If you have a directory such as: /somedirectory/ that has an Application.cfm file, then have another directory such as: /somedirectory/child/ that also has an Application.cfm file and both Application.cfm files enable session management (with different application names of course), when you create a session under /somedirectory/child and then open a new window or tab pointing to /somedirectory your session under /somedirectory/child is destroyed.

If you access a site on the same server under /anotherdirectory there are no problems, but session instances in a nested directory structure appear to be overriding one another regardless of application name.

I confirmed this after installing the hotfix on eight different servers. As soon as I rolled-back the hotfix, the problem went away on all eight.

Comment 5 by Raymond Camden posted on 2/10/2011 at 4:05 AM

I haven't had a chance to test this Joshua but I've shared it with other Adobe CF ACPs.

Comment 6 by Nigauw posted on 2/11/2011 at 12:38 AM

We are also experiencing this same problem: all our sites that are relying on more than one application per domain are now completely broken!
It seems unbelievable that nobody at Adobe noticed a bug this big before releasing such an important Security Hotfix...

Comment 7 by Nigauw posted on 2/11/2011 at 5:50 PM

FYI, Shilpi posted a possible workaround on her blog here:
http://shilpikm.blogspot.co...
The idea is to explicitely create the CFID and CFTOKEN in the directories that are using another cfapplication in order to "scope by path" the session.
I'll give this approach a try and post my findings here soon.

Comment 8 by Raymond Camden posted on 2/11/2011 at 5:52 PM

Thanks for posting this Nigauw.

Comment 9 by Nigauw posted on 2/11/2011 at 7:35 PM

OK, I tried Shilpi's idea and it seems to work now!

I've set up a test where two folders have their own Application.cfc, with the following:

<cfscript>
this.name = "#cgi.path_info#"; //this makes the app name unique
this.applicationTimeout = createTimeSpan(0,1,0,0);
this.clientmanagement= true;
this.loginstorage = "session" ;
this.sessionmanagement = true;
this.sessiontimeout = createTimeSpan(0,1,0,0);
this.setClientCookies = true;
this.setDomainCookies = false;
this.scriptProtect = "all";
</cfscript>

<cffunction name="onSessionStart" output="false">
<cfcookie name="CFID" value="#SESSION.CFID#" domain=".#cgi.http_host#" path="#listDeleteAt(cgi.path_info,listLen(cgi.path_info,'/'),'/')#">
<cfcookie name="CFTOKEN" value="#SESSION.CFTOKEN#" domain=".#cgi.http_host#" path="#listDeleteAt(cgi.path_info,listLen(cgi.path_info,'/'),'/')#">
</cffunction>

When you hit a page in folder_1 and then reload that same page, the SESSION.CFID and SESSION.CFTOKEN remain stable.
The you hit a page in folder_2 and you get a new CFID and CFTOKEN for that second application.
If you go back to folder_1 and reload your page, the original session vars are still there.
So far, so good.

Important note: this ties an application to its root folder: if you try to access the session variables of that application from another folder or from a subfolder, it won't work.

What a mess... This new behavior/bug introduced by the hotfix breaks code that had been running untouched for close to ten years, as well as code written last month.

Comment 10 by Frank posted on 2/15/2011 at 11:28 PM

Does anyone's Server Monitor work after applying this fix? Ours doesn't. It looks like there is also a new option for Monitoring Settings that was added as well, which also errors out.

Comment 11 by Julian Halliwell posted on 2/16/2011 at 9:35 PM

We've been forced to roll back this hotfix as it's caused too much trouble. Details on Shilip's blog: http://shilpikm.blogspot.co...

Comment 12 by Marc posted on 2/17/2011 at 10:54 PM

The hotfix page http://kb2.adobe.com/cps/89... says it was updated on 2011-2-16. The last modified date for the CF801.zip and CF901.zip files is now 2/16/2011 6:37 PM PST. Does anyone know what changed?

Comment 13 by Raymond Camden posted on 2/17/2011 at 11:02 PM

I've asked on a private list if we can get clarification.

Comment 14 by Steve Moore posted on 2/25/2011 at 4:00 AM

We too have rolled back this update because of the session issue. If it wasn't for the comments on this blog, I wouldn't have known what the heck was going on, except that the fix broke my apps. Now my question is: Assuming there is a CF 9.0.2 or something, are these fixes going to be in that, meaning I won't be able to update without implementing the work-around mentioned here for every app on my server? Guess I should start now...

Comment 15 by Nigauw posted on 2/25/2011 at 12:55 PM

Marc, Ray: any idea if the recently updated modification date means the bug-within-the-corrective-patch has been recognized and fixed?

Comment 16 by Raymond Camden posted on 2/25/2011 at 5:11 PM

I've yet to get official word. Sorry.

Comment 17 by Raymond Camden posted on 2/25/2011 at 5:50 PM

Official word it was just a minor edit in instructions.

Comment 18 by Nigauw posted on 2/25/2011 at 5:54 PM

OK, good to know - thanks.
Do you think we can assume that the problem is acknowledged and someone's working on it?

Comment 19 by Raymond Camden posted on 2/25/2011 at 5:55 PM

No - you need to ensure you log a bug and if you have a support plan I'd call it in. Be the squeaky wheel.

Comment 20 by Raymond Camden posted on 2/25/2011 at 5:56 PM

Although wait - it looks to me like this was a session fixation issue and it is fixed now. I can see how it breaks apps - but if it closes up a security hole then isn't it better it is fixed?

Comment 21 by Julian Halliwell posted on 2/25/2011 at 6:09 PM

@Ray, not if it means our users can't log in because the fix is causing their sessions (CFID/TOKENs) to be lost between requests. And yes we have changed to cookies to domain cookies where necessary (not all our domains have multiple apps), and it made no difference: sessions were being intermittently lost. Rolling back the hotfix stopped the problem.

Comment 22 by Raymond Camden posted on 2/25/2011 at 6:18 PM

Ok - then best I can suggest is what I said before - raise it with Adobe Support "officially".

Comment 23 by Julian Halliwell posted on 2/25/2011 at 8:57 PM

You're right, Raymond, should have done so before.

http://cfbugs.adobe.com/cfb...

Comment 24 by Dav posted on 3/1/2011 at 9:15 PM

Oddly, we found that enabling J2EE sessions fixed the session 'n' application name exclusivity issue caused by this patch

Comment 25 by Mike Thomas posted on 3/8/2011 at 12:35 AM

We applied the HOTFIX in questions and when NESSUS ran its regular scheduled programming, we receivied an errror. NESSES tried to navigate to: \CFIDE\wizards\common\_logintowizard.cfm page.

The following is a snippt from the error message: Element ESAPIUTILS is undefined in a Java object of type class [Ljava.lang.String;.
The error occurred on line 55.

Anyone else out there with this one?

Comment 26 by Raymond Camden posted on 3/8/2011 at 12:55 AM

@Mike: Isn't that a bug you can ignore?

Comment 27 by Michael Kane posted on 3/8/2011 at 5:04 AM

Glad I decided to google ESAPIUTILS, and found this discussion. I got a site-wide exception notice with the same error as Mike Thomas noted. It was on our DMZ server, so it worried me. Even more so when I noticed the cfdump of Error.TagContext that my site-wide handler includes. The first item had ?? as the value for ID, and the path for TEMPLATE is C:\work\ColdFusion\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\styles.cfm:55

There is no c:\work on my server. I would like to know how that could be. In the meantime, I decided to remove the wizards folder altogether. What is it needed for?

Comment 28 by Michael Brennan-White posted on 3/8/2011 at 8:44 PM

I ran the hotfix for v8.01 on my dev machine and everything seems to be working without a problem, but what should the version number be now. On my dev box the version number is 8,0,1,195765. My production box (not updated yet) has the same version number.

Comment 29 by Marc posted on 3/8/2011 at 11:33 PM

I just saw on http://www.petefreitag.com/... that the hotfix has been updated today with fixes and everyone should reapply it! Also Shilpi from the Coldfusion team has posted a blog entry about it http://shilpikm.blogspot.co...

I'm guessing the reason they added the option to completely turn off the fix for Session Fixation is just in case any other unexpected problems show up.

Comment 30 by Julian Halliwell posted on 3/9/2011 at 7:27 PM

The updated HotFix still doesn't work for us: clients started losing sessions again as soon as we applied it. But using the new JVM switch to turn off the Session Fixation part of the fix did correct it, which means we don't have to roll back the whole HF. But it still means that particular vulnerability is unpatched.

Comment 31 by Jay McEntire posted on 3/9/2011 at 10:31 PM

I can also confirm that this problem still exists. Here is the following way I was able to reproduce the problem:

I am using Application.cfm on CF 8 and have the following code in that file:

<cfapplication
...
applicationtimeout="#CreateTimeSpan(2,0,0,0)#"
clientmanagement="false"
sessionmanagement="true"
sessiontimeout="#CreateTimeSpan(0,1,0,0)#"
setclientcookies="false"
setdomaincookies="false"
scriptprotect="URL,CGI,COOKIE">

<!--- set more secure cookie handeling --->
<cfif NOT IsDefined("COOKIE.CFID") OR NOT IsDefined("COOKIE.CFTOKEN")>
<cfheader name="Set-Cookie" value="CFID=#SESSION.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#SESSION.CFTOKEN#;path=/;HTTPOnly">
</cfif>

We do this to protect our session cookies as per: http://www.petefreitag.com/...

When i persons session times-out, I this bug still happens and they can't login without having to delete their cookies from their browser.

-J

Comment 32 by Jay McEntire posted on 3/9/2011 at 10:36 PM

To follow up on my previous post, It appears that it works fine if you have clientcookies=true, but of you set that yo false and manually set the CFIF and CFTOKEN cookies, then thats where there are issues.

Comment 33 by Shilpi posted on 3/10/2011 at 12:42 PM

Hi Jay,

This is because of the following -

1. You have set setClientCookies=false
2. In the code to set Cookies, you have following condition -

<cfif NOT IsDefined("COOKIE.CFID") OR NOT IsDefined("COOKIE.CFTOKEN")>

Now if users don't delete the old cookies and with the above condition, old Cookie value will always be found and if ColdFusion does not find an active session for this request, it will start a new one. However these new values are never set to Cookies.

You can probably change the check before settings the cookies to match the value from Cookie and Session. If the values don't match, then you reset the cookie as well.

Hope this helps.

Shilpi
ColdFusion Team

Comment 34 by Julian Halliwell posted on 3/14/2011 at 2:36 PM

Happy to report we've identified the problem and the Hotfix is now working for us. In a nutshell: CF will no longer use existing CFID/CFTOKEN cookies when creating new sessions.

I've written up the problem and solution at http://cfsimplicity.com/4/c...

Comment 35 by Ryan posted on 3/18/2011 at 8:54 PM

We are getting the following when trying to get to the cfadmin url. this is on CF 8.0. We've reapplied the hot fix, and it was the the most recent. Any insight into how to get this fixed? Getting the same issue on certain sites when trying to login to secured areas.

java.lang.NoClassDefFoundError: Could not initialize class coldfusion.security.ESAPIUtils

@Michael Kane - were you able to find a fix for your cf9 box?

Comment 36 by Michael Kane posted on 3/24/2011 at 1:16 AM

Ryan, I have not learned much more about the ESAPIUtils error, or why my server said it came from a template in a path that has never existed on that server. But it was more or less moot, because I removed the wizards folder altogether. I haven't found out what that folder is needed for, either. But it seems unnecessary and undesirable to have on a production server.

Comment 37 by Lisa Walker posted on 8/6/2011 at 9:54 PM

I am attempting to run the 8.0.1 updater for my Cf installation.
After the update (multiserver) occurs, websites seem to work fine, but I am unable to get to the cf administrator interface.
Just a blank screen shows up.
When I view source on the blank page, I see this root cause listed: applet error.
Element ESAPIUTILS is undefined in a Java object of type class
If anyone has any assistance they can offer, please let me know. I need to get this update and subsequent hot fixes in place before 8/19 (pci check).
The 8.0.0 security hot fix broke my cfgrid from displaying correctly. Worked great before that.
current update level I'm at:
Update Level /C:/JRun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/updates/hf800-00002.jar

Comment 38 by Raymond Camden posted on 8/8/2011 at 1:06 AM

Lisa - don't have a solution for you - you try Adobe support yet?

Comment 39 by Lisa Walker posted on 8/8/2011 at 3:39 PM

Yes, posted there also, waiting on some type of response.
As several people posted here, the documentation is lacking a bit. Would be nice if they would just create an upgrade file that really did the upgrade.
I have a cf8 installation, but see at this post, http://www.forta.com/blog/i...,
that even on cf9 installations, the hot fixes busted up the admin interface.
thanks for the response.

Comment 40 by Raymond Camden posted on 8/8/2011 at 4:04 PM

As has been announced, future versions of ColdFusion is going to make this a LOT easier.

Comment 41 by Paul posted on 8/8/2011 at 9:18 PM

I have the same problem. This security update has totally broken the admin interface on a vanilla CF 8.0.1 install.
java.lang.ClassNotFoundException: coldfusion.security.ESAPIUtils

Comment 42 by Lisa Walker posted on 8/8/2011 at 9:28 PM

Thanks ray, but future versions cost upgrade money and unfortunately, in this economy, we're not spending that amount of money.
Really, adobe should fix this with these 2 existing versions since they have downloads for them.
The only reason I am trying to do the upgrade is for security fixes. The last one I applied for 8.0.0 broke by cfgrid cfcs.
This fix is in the 8.0.1 hotfix 1, which I cannot apply to an 8.0.0 installation.

Comment 43 by Raymond Camden posted on 8/8/2011 at 10:07 PM

@Lisa: I do agree, it could be better. Just saying it's (eventually) going to get there.

Comment 44 by James Morrow posted on 8/11/2011 at 7:54 AM

Count me in as another poor fool trusting this hotfix.

"ESAPIUTILS is undefined in a Java object" etc., breaking the cf admin interface.

Comment 45 by Shilpi posted on 8/12/2011 at 1:02 PM

Hi Lisa,Paul,James,

Can you please confirm at what location the hf jar is placed and also in "<cfserver-home>/lib/updates" which all files are present?

We at not seeing this error at our end.

Thanks & Regards,
Shilpi

Comment 46 by James Morrow posted on 8/13/2011 at 4:02 AM

@Shilpi:

It appears to have resulted from installing multiple hotfixes in an incorrect order. Specifically, installing the hf801-1878.jar or hf801-1875.jar _after_ the hf801-00002.jar had already been installed.

I was doing a wave of hotfixes this week for a PCI compliance process, and it wasn't immediately obvious to me that there was an order dependency. Once I had a chance to think about it a bit more, it seemed relatively obvious that there was a conflict between updates; additional evidence was provided when I re-read the release notes for hf801-00002 and noticed the list of jars to remove.

I think hf801-1875.jar should probably be added to that list of jars to remove, although I didn't absolutely confirm it; I've done enough experimenting in that environment for this week.

Thanks!

Comment 47 by Shilpi posted on 8/16/2011 at 10:09 AM

Thanks a lot for confirming James. We will verify this on our end.

Comment 48 by Teresa posted on 12/14/2011 at 7:37 PM

I applied Hofix 2 for coldfusion 9.0.1 and am receiving the "Class not found: coldfusion.security.ESAPIUtils" error when trying to launch CF administrator. It appears coldfusion itself is working...but I can't launch the cf administrator. Any ideas? I've rolled back and reinstalled 3 times with the same results each time. Thanks!

Comment 49 by Raymond Camden posted on 12/14/2011 at 8:29 PM

I thought this had been corrected. Your quickest bet is to call Support. I'm checking internally. I see a set of comments from folks when this first came out, which is why I thought it had been corrected already.

Comment 50 by Raymond Camden posted on 12/14/2011 at 8:30 PM

Teresa, actually, look at the comments above from James. That could be it.

Comment 51 by Michael Kane posted on 12/14/2011 at 8:34 PM

Ray, I wish there was more clarity about the hotfixes. Actually, make that the entire install/update process. I upgraded a production CF 8 server a few days ago, and had major problems. It seems that Hotfix 2 broke the install. I had to completely uninstall CF, then install 9.0.0, update to 9.0.1, and left it there until I get time to figure out the problem.

Comment 52 by Teresa posted on 12/14/2011 at 9:50 PM

Argh! User error!!! I thought I was working in CF 9.0.1 but as it turns out my version was CF 9.0. The sad part is I even looked at the version in cf admin. I guess my brain expected to see 9.0.1.

No disaster here!
--Teresa

Comment 53 by Jules posted on 1/6/2012 at 11:54 PM

Same problem here with losing access to the Administrator after simple upgrade to 8.0.1 from Coldfusion 8. Coldfusion pages are still loading and working nicely. Has anyone solved this yet? The only hotfix I have applied is hf800-00002.jar which was applied prior to the upgrade. Thanks!

Comment 54 by Jon Cavanaugh posted on 1/17/2012 at 11:42 PM

We have a multi-instance server with this issue happening occasionally. When the ESAPIUtils error occurs it seems that stopping any running instances and waiting for 10-20 seconds after the instances are stopped, then starting them resolves this issue, however temporarily. I've opened a case with Adobe Support, I hope our temp solution helps someone.

Comment 55 by Gerry Gurevich posted on 1/31/2012 at 7:49 PM

I had the same CF Admin blank screen and in the console found that I had the "Element ESAPIUTILS is undefined" error.

Before this 9.0.1 updater we also had this problem. Someone had fouled up the hotfixes from 9.0 and I reapplied them in the correct order and it was fixed.

After the 9.0.1 updater, the problem resurfaced. So I applied ColdFusion 9.0.1 Cumulative Hotfix 2 (CHF2).

Note that you can skip steps 2-5 in the hotfix instructions and just drop the hotfix jar file directly into {ColdFusion-Home}/lib/updates folder. If you have the admin blank screen problem, you don't really have a choice.

Comment 56 by Mike Ritchie posted on 2/15/2012 at 12:16 PM

Just updated CF9 multiserver to CF9.0.1 and then applied Hotfix 2. Pretty sure I did it in the right order, but now like other users, my CF Administrator shows just a blank screen. Unlike other users, viewing the source of the page shows nothing. One thing I didn't do though, I didn't restart CF before applying the Hotfix, since I knew I needed both I just downloaded and applied them one after the other then followed the rest of the instructions in the Hotfix text.

I've tried deleting the jar from the updates folder as suggested, but it hasn't done anything that I can see. Any suggestions would be appreciated.

Comment 57 by Mike Ritchie posted on 2/15/2012 at 12:18 PM

Viewed the response headers in Firebug, it shows 500 Instantiation Exception. So it looks like it might be the same thing. I'll keep trying

Comment 58 by Jon Cavanaugh posted on 2/15/2012 at 10:56 PM

@Mike Do you have any other files in the updates folder? If so provide that list, if not then I would suggest trying to re-apply the hotfix step-by-step.

Comment 59 by Mike Ritchie posted on 2/15/2012 at 11:26 PM

Hi Jon, apart from the patch file from hotfix #2, I have the ColdFusion_update_901_WWEJ_linux64.bin file from the update to 9.0.1. I've identified the error to being the "missing" ESAPI class. I added [cf_root]/lib to the class paths in jvm.config, thinking that might have been it, but it still throws the error. I did notice that the esapi jar file ends with _rc10.jar, which means to me that it's a release candidate and not the final file. Is it possible that that file needs to be renamed?

Thanks for the feedback

Mike

Comment 60 by cheryl gross posted on 2/17/2012 at 2:46 AM

I have updated 1 of 4 Cold Fusion 9.0.1 servers and now I have a blank administrator page. other .cfm's will work but the administrator/index.cfm page will not work. I am getting a blank screen instead of a login screen. In the application.log I'm getting Element ESAPIUTILS is undefined in a java object

Comment 61 by Charlie Arehart posted on 5/13/2012 at 5:21 AM

Just want to throw out a lifeline to all the people reporting that things broke once they applied one of the hotfixes (notice that different people are reporting the same or different problems after applying different hotfixes).

In my experience (providing CF support to folks as an independent consultant), most such problems are caused by one of 3 mistakes that can be easily made while applying hotfixes. I don't say this to embarrass anyone, but just to say it's not hard to make the mistakes.

I discuss them in more detail here: http://www.carehart.org/blo...

But certainly if anyone has a different solution they may have found to resolve the problems, many will certainly want to hear.

Hope that's helpful.

Comment 62 by Alex Purice posted on 9/25/2013 at 12:24 AM

I recently applied CF 9.0.1 Update 4 and this issue started to bite my neck. I thought it was a bug introduced by Adobe, but apparently it is a feature.

Be aware that if you mix client and session variables in the same app and "protectfixation" is ON, you lose client variables (because ColdFusion server reissues new CFID and CFTOKEN), which otherwise you believe will stay there forever.

Thanks.
Alex.