ColdFusion Security Hotfix

This post is more than 2 years old.

I'm stealing this blog entry right from what Forta just announced, but it's for a good cause - spreading the word! A new security hot fix for ColdFusion 8 and 9 is now released. Details may be found here: Security update: Hotfix available for ColdFusion

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Archived Comments

Comment 1 by Patrick Heppler posted on 6/15/2011 at 11:48 AM

Just applied it. Was a pain in the ass on linux, because copy by default asks for every file to overwrite. Would be much easier if Adobe would provide zips which contain the whole CFIDE and WEB-INF, not only the updated files, so you could just delete / move the old folders and copy in the new ones. *hint*

Comment 2 by Julian Halliwell posted on 6/15/2011 at 12:29 PM

@Patrick, but that would surely assume those directories are in an identical state for everyone. What if you've customised the administrator, or decided not to apply previous patches? Only files that *need* to be updated should be.

I agree though that these hotfixes involving changes to the CFIDE folder are a royal pain to install. 14 steps no less.

Comment 3 by Patrick Heppler posted on 6/15/2011 at 3:14 PM

@Julian, yeah it's a problem if you have customized the admin, like i did with spoolmail and cftracker.

14 steps right, but with cp -pr CFIDE-901/* {WEBROOT}/CFIDE/ you need to type "y" and press enter for every single file to get it overwritten!

Comment 4 by DJ posted on 6/15/2011 at 7:23 PM

Just put the fix in on a windows 2008 server and now can't get to the administrator interface :( CF is working as I've tested a website on it, but no administrator. I get an alternating Service Unavailable and then a 500 error. Any hints?

Comment 5 by DJ posted on 6/15/2011 at 7:55 PM

Wow! Be VERY careful when reading those instructions! Step 6 tells you to go look for hf901-00001.jar and delete if found... you get a bit excited and find a file that appears to be that name and you delete it... administrator won't work. I deleted hf901-00002.jar, the new jar file. Stopped CF services, restored the file (damn good thing I didn't shift delete) and started up again. Tadah!

Maybe my mistake will save someone else some trouble :)

Comment 6 by Chris Bowyer posted on 6/16/2011 at 1:25 AM

Yes. A bit of a nail biting experience, but the instructions are good. Just one question. A fellow developer I know, said he saw no need to update his local developer copy. I did mine anyway, but what do you think?

Comment 7 by Julian Halliwell posted on 6/16/2011 at 12:23 PM

@Chris, I *always* update my developer installation, and I do it *first*, for several reasons:
1) I like to keep my dev environment as similar as possible to production.
2) I like to test updates before rolling them out (sometimes the initial release is buggy).
3) It gives me practice in deploying the patch. Especially with so many steps, I find it really helps if I've already been through the process once before in a non-production environment.

Comment 8 by Jorge Asch posted on 6/16/2011 at 7:41 PM

They should test these out more carefully before releasing. Server keeps crashing everytime these a database exception.

"Could not find the included template udf.cfm." on WEB-INF\exception\details.cfm

Of course, there's no udf.cfm on the directory... (it's somewhere on the CFIDE path).

Previous details.cfm, didn't have this requirement...

Comment 9 by Raymond Camden posted on 6/16/2011 at 7:43 PM

As just an FYI - please be sure you ping Adobe support with these issues. I want to help - but I probably can't help - on this issue. (I don't mind you guys posting - please do - cuz it can help others - just making sure it's clear for 'real' support, you need to ping Adobe.)

Comment 10 by Chris Bowyer posted on 6/17/2011 at 12:47 AM

@Julian

Thanks for the feedback. All very good points

Comment 11 by Julian Halliwell posted on 6/17/2011 at 11:11 AM

@Jorge. Which version of the patch are you using? With the CF9.0.1 version I've installed the udf.cfm template is there in the WEB-INF\exception folder and I'm having no problems with database or other exceptions.

Comment 12 by Mark Andrachek posted on 6/17/2011 at 10:49 PM

@Patrick that's what -f or --reply=yes is for.

This security patch, and the one just before it, break the undocumented and unofficial ability to get a datasource from the datasourceservice without using the adminapi.

I don't like the adminapi. First, using if from Java is a pain. Second, the security is not fine grained enough for my liking. I don't really like these services being open either.

But I do like being able to get a connection from a coldfusion datasource from java, running inside of a cf page. Guess I'm going to be stuck with using the admin api, converting my datasource to JNDI, or using an external definition and custom connection pool. *SIGH*.

Comment 13 by Benoit HEDIARD posted on 6/27/2011 at 3:09 PM

We applied this HotFix yesterday. Since then, we get plenty of "Session is invalid" errors...
Our config is very common :
- J2EE Session enabled,
- Max timeout and default timeout to 30 minutes (= max time-out in Web.xml)
- ClientCookies disabled.

Anyone having a similar issue?

Comment 14 by Marc posted on 6/27/2011 at 11:05 PM

The hot fix page http://kb2.adobe.com/cps/90... now says it was last updated on 2011-06-25.
Their server also now reports a last modified date of 6/25/2011 for both CF 8.0.1 zip files and both CF 9.0.1 zip files

I don't know what actually changed

Comment 15 by Raymond Camden posted on 6/27/2011 at 11:09 PM

I will try to find out what was changed.

Comment 16 by Benoit HEDIARD posted on 6/28/2011 at 12:58 AM

FYI, I found this interesting comment from Mike Collins on ColdFusion Bug Tracker : http://www.elliottsprehn.co....
He suggests to add a "reuseInvalidatedIds" parameter in jrun.xml config files as a temporary workaround.

Comment 17 by Geoff posted on 7/4/2011 at 2:42 PM

I just applied the patch, but my version number in CF admin has remained unchanged... Still on 9,0,1,274733 with update level /D:/ColdFusion9/lib/updates/hf901-00001.jar

Can anyone else who's applied the update let me know if their version number changed?

Comment 18 by Benoit HEDIARD posted on 7/4/2011 at 2:48 PM

I think the version number didn't change (as far as I can remember) but the update level did (to hf901-00002.jar). Are you sure you have removed hf901-00001.jar?

On our production servers, we have removed this hot fix 2 to revert to hot fix 1 and the "Session is invalid" is gone...
I hope you will not face this issue as well.

Comment 19 by Chris Bowyer posted on 7/4/2011 at 6:36 PM

@Geoff

I'm not sure if my Version changed, but my Update Level did...

Version: 9,0,1,274733
Update Level: /C:/ColdFusion9/lib/updates/hf901-00002.jar

Comment 20 by Julian Halliwell posted on 7/20/2011 at 6:10 PM

FYI: An update to the HotFix has just been published fixing certain issues:

http://kb2.adobe.com/cps/90...