ColdFusion Security hot fix APSB12-26

ColdFusion 10, ColdFusion 9.0.2, ColdFusion 9.0.1, and ColdFusion 9.0 are affected with a vulnerability mentioned in the security bulletin APSB12-26. This article provides fixes for the security issues mentioned in the bulletin, along with installation instructions.

1. Hot fix files contain some of the previous security hot fixes.
2. Do not remove any jar files whose file names begin with chf.
3. ColdFusion 10 update 6 is a cumulative update. That is, it includes all the bug fixes from previous updates of ColdFusion 10.
4. Named application scope is not available in servlet context by default. To roll back to previous behavior, add JVM flag -Dcoldfusion.allowappdatainservletcontext=true.

In ColdFusion 10, use hot fix installer to apply this update (ColdFusion 10 Update 6).

If you have not applied ColdFusion 10 Mandatory Update, then apply it first to apply ColdFusion 10 Update 6.

If you have applied the previous Security hot fix APSB12-21, see Section 1. If you have not applied the previous Security hot fix APSB12-21, see Section 2.

Follow the instructions that apply to your version of ColdFusion. Do not apply these fixes to any beta or prerelease version of ColdFusion.

In the following procedures, {ColdFusion-Home} indicates the following:

• For Server installation: {ColdFusion-Home}
• For Multiserver Installation:{JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
• For J2EE installation: {cfusion-ear-Home}/cfusion-war/

Use the following instructions if you have previously applied Security hot fix APSB12-21.

1. Download CF902.zip and extract hf902-00002.jar file.
2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
3. In the update file text box, browse and select hf902-00002.jar and click Submit Changes.
4. Stop the ColdFusion instance.
5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf902-00001.jar exists, delete it. Otherwise, ignore this step.
6. Start the ColdFusion instance.
7. If there are multiple instances, repeat steps 2 through 6 for each instance.
   

1. Download CF901.zip and extract hf901-00007.jar file.
2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
3. In the update file text box, browse and select hf901-00007.jar and click Submit Changes.
4. Stop the ColdFusion instance.
5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf901-00006.jar exists, delete it. Otherwise, ignore this step.
6. Start the ColdFusion instance.
7. If there are multiple instances, repeat steps 2 through 6 for each instance.
   

1. Download CF9.zip and extract hf900-00008.jar file.
2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
3. In the update file text box, browse and select hf900-00008.jar and click Submit Changes.
4. Stop the ColdFusion instance.
5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf900-00007.jar exists, delete it. Otherwise, ignore this step.
6. Start the ColdFusion instance.
7. If there are multiple instances, repeat steps 2 through 6 for each instance.
   

Use these instructions if you have not applied Security hot fix APSB12-21.

1. Download CF902.zip and CFIDE-902.zip. Extract both zip files.
2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
3. In the update file text box, browse and select hf902-00002.jar located under CF902/lib/updates.
4. Click Submit Changes.
5. Stop the ColdFusion instance.
6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf902-00001.jar exists, delete it. Otherwise, ignore this step.
7. Go to {CFIDE-HOME} and take a backup of CFIDE folder.
8. Extract all the files in CFIDE-902.zip to the web root directory that has {CFIDE-HOME} folder.
9. Start the ColdFusion Instance.
10. If there are multiple instances, repeat steps 2 through 9 for each instance.
    

1. Download CF901.zip and CFIDE-901.zip. Extract both zip files.
2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
3. In the update file text box, browse and select hf901-00007.jar located under CF901/lib/updates.
4. Click Submit Changes.
5. Stop the ColdFusion instance.
6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf901-00001.jar, hf901-00002.jar, hf901-00003.jar, hf901-00004.jar, hf901-00005.jar, hf901-00006.jar exist, delete them. Otherwise, ignore this step.
7. Go to {CFIDE-HOME} and take a backup of CFIDE folder.
8. Extract all the files in CFIDE-901.zip to the web root directory that has {CFIDE-HOME} folder.
9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and take a backup of WEB-INF folder.
10. Go to CF901 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
12. Go to CF901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
13. Start the ColdFusion Instance.
14. If there are multiple instances, repeat steps 2 through 13 for each instance.
    

1. Download CF9.zip and CFIDE-9.zip. Extract both zip files.
2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
3. In the update file text box, browse and select hf900-00008.jar located under CF9/lib/updates.
4. Click Submit Changes.
5. Stop the ColdFusion instance.
6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf900-00001.jar, hf900-00002.jar, hf900-00003.jar, hf900-00004.jar, or hf900-00005.jar, hf900-00006.jar, hf900-00007.jar exist, delete them. Otherwise, ignore this step.
7. Go to {CFIDE-HOME} and take a backup of CFIDE folder.
8. Extract all the files in CFIDE-9.zip to the web root directory that has {CFIDE-HOME} folder.
9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and take a backup of WEB-INF folder.
10. Go to CF9 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
12. Go to CF9/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
13. Start the ColdFusion Instance.
14. If there are multiple instances, repeat steps 2 through 13 for each instance.
    

Follow the instructions in the security bulletin APSB11-15 to apply the fix.

If you installed the hot fix for ColdFusion 9, and upgraded to ColdFusion 9.0.1, then apply the security hot fix for the update.