A vulnerability mentioned in the security bulletin APSB12-25 affects ColdFusion 10 Update 1 and later. This article provides instructions on how to apply fixes for the security issues mentioned in the security bulletin.
Apply ColdFusion 10 Mandatory Update first.
In ColdFusion 10, use HotFix installer to apply this security hot fix (ColdFusion 10 Update 5).
After applying this hot fix, reconfigure the connectors using the wsconfig tool. Find the wsconfig.exe at {cf_install_home}/{CF Instance}/runtime/bin. To reconfigure the connectors, remove the IIS connector listed and use the add option to configure the latest IIS connector.
Important: To protect other configuration files from Jakarta virtual directory from access over the Internet, check the MIME type list for websites. Ensure that MIME Type entries for the following Filename Extensions are not present:
- Properties
- Log
Note:
ColdFusion 10 Update 5 is a cumulative update. That is, it includes all the bug fixes from previous updates of ColdFusion 10 as well.
This security hot fix is applicable only when you have a connector with IIS.
Twitter™ and Facebook posts are not covered under the terms of Creative Commons.
