Issue
ColdFusion 10, ColdFusion 9.0.2, ColdFusion 9.0.1, and ColdFusion 9.0 are affected with the vulnerabilities mentioned in the security bulletin APSB13-19. This article (release date, July 9 2013) provides fixes for the security issues mentioned in the bulletin, along with the installation instructions.
Solution
ColdFusion 10
In ColdFusion 10, use the hot fix installer to apply this update (ColdFusion 10 Update 11). ColdFusion 10 Update 11 is a cumulative update. That is, it includes all the bug fixes from the previous updates of ColdFusion 10. This update addresses an important security fix in addition to several other bug fixes. For more details, see this article.
Important note
If you have not applied the ColdFusion 10 Mandatory Update, then apply it before applying this update. This step is not required if ColdFusion 10 build number is greater than 282462.
ColdFusion 9.0.x
This security hot fix is valid only for ColdFusion versions 9.0, 9.0.1 and 9.0.2 deployed on JRun.
Installation
- Download 3329722.zip.
- Extract the JAR file and copy it to {ColdFusion-Home}/runtime/servers/lib (for stand-alone installation) and {JRun-Home}/servers/lib (for Multiserver and J2EE installations).
- Restart the ColdFusion/JRun instance.
Uninstallation
- Remove jrun-hotfix-3329722.jar file from the {ColdFusion-Home}/runtime/servers/lib (for stand-alone installation) and {JRun-Home}/servers/lib (for Multiserver and J2EE installations).
- Restart the ColdFusion/JRun service.
ColdFusion integrated/Installed with LCDS
Follow the instructions in the security bulletin APSB11-15 to apply the fix.
For previous ColdFusion security hot fixes, see the Security bulletins and advisories page.
