Adobe
Sign in Privacy My Adobe

ColdFusion Security Hotfix APSB12-06

Adobe Community Help


Products Affected

Contact support

Issue

ColdFusion 9.0.1, ColdFusion 9.0, ColdFusion 8.0.1 and ColdFusion 8 are affected with vulnerabilities mentioned in the security bulletin APSB12-06. This TechNote provides fixes for the security issues mentioned in the bulletin along with installation instructions.
 

Solution

Customers who have applied the previous Security Hotfix APSB11-29, see Section1. If you have not applied the previous Security Hotfix APSB11-29, see Section 2.

Follow the instructions that apply to your version of ColdFusion. Do not apply these fixes to any beta or prerelease version of ColdFusion.

Note:

  1. Hotfix files contain some of the previous security hotfixes.

  2. CSRF protection requires that SessionManagement is enabled. If Session Variables are disabled from Administration Console, CSRF protection is disabled.

  3. If ColdFusion throws an exception "java.io.FileNotFoundException.. /logs/esapiconfig.log" after applying hotfix, go to <ColdFusion-Home>/lib/log4j.properties and update absolute path for esapiconfig.log.

  4. This hotfix implements a new setting in ColdFusion, Post Parameter Limit. This limits the number of parameters in a post request. The default value is 100. If a post request contains more parameters as specified, server will not process the request and throws an exception. This is done to protect against DoS attack using Hash Collision. This setting is different from Post Size Limit (ColdFusion Administrator > Settings > Maximum size of post data). We are not exposing this setting in ColdFusion Administrator console, but this limit can be easily changed in neo-runtime.xml file. See point 5 below.

  5. Customers who want to change postParameterLimit, go to {ColdFusion-Home}/lib for Server Installation or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver or J2EE installation. Open file neo-runtime.xml, after line.

"<var name='postSizeLimit'><number>100.0</number></var>" 

          add the below line and you can change 100 with desired number.

"<var name='postParametersLimit'><number>100.0</number></var>"

               

Definition for ColdFusion-Home:

In the following procedures, {ColdFusion-Home} indicates the following:

  • For Server installation: {ColdFusion-Home}
  • For Multiserver Installation:{JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
  • For J2EE installation: {cfusion-ear-Home}/cfusion-war/

Note: CFIDE.zip and WEB-INF.zip included in the hotfix contain only part of the CFIDE and WEB-INF files. Do not rename present CFIDE and WEB-INF folders to create as per the instructions.

 Section 1:

If you have previously applied Security Hotfix APSB11-29, it's only necessary to apply the jar file.

ColdFusion 9.0.1

  1. Download CF901jar.zip and extract hf901-00004.jar.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper right corner.
  3. In the update file textbox, browse and select hf901-00004.jar and click submit.
  4. Stop the ColdFusion instance.
  5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf901-00001.jar, hf901-00002.jar or hf901-00003.jar exist, delete them. Otherwise, ignore this step.
  6. Start the ColdFusion instance.
  7. If there are multiple instances, repeat steps 2 through 6 for each instance.

ColdFusion 9.0

  1. Download CF9jar.zip and extract hf900-00005.jar.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper right corner.
  3. In the update file textbox, browse and select hf901-00005.jar and click submit.
  4. Stop the ColdFusion instance.
  5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf900-00001.jar, hf900-00002.jar, hf900-00003.jar or hf900-00004.jar exist , delete them. Otherwise, ignore this step.
  6. Start the ColdFusion instance
  7. If there are multiple instances, repeat steps 2 through 6 for each instance.

ColdFusion 8.0.1

  1. Download CF801jar.zip and extract hf801-00005.jar

  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper right corner.
  3. In the update file textbox, browse and select hf801-00005.jar and click submit.
  4. Stop the ColdFusion instance.
  5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf801-00001.jar, hf801-00002.jar,hf801-00003.jar, hf801-00004.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
  6. Start the ColdFusion instance
  7. If there are multiple instances, repeat steps 2 through 6 for each instance.

ColdFusion 8.0

  1. Download CF8jar.zip and extract hf800-00005.jar.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper right corner.
  3. In the update file textbox, browse and select hf800-00005.jar and click submit.
  4. Stop the ColdFusion instance.
  5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf800-00001.jar, hf800-00002.jar, hf800-00003.jar, hf800-00004.jar, hf800-70523.jar, hf800-71471.jar, hf800-73122.jar, hf800-1875.jar, hf800-77218.jar or hf800-1878.jar exist, delete them. Otherwise, ignore this step.
  6. Start the ColdFusion instance
  7. If there are multiple instances, repeat steps 2 through 6 for each instance.

Note: If you experience problems in ColdFusion Administrator > Mail > View Undelivered Mail page after applying the previous hotfix, replace undeliveredmail.cfc from {ColdFusion-Home}/wwwroot/CFIDE/administrator/mail from CFIDE backup.

Section 2:

For customers who have not applied Security Hotfix APSB11-29

ColdFusion 9.0.1

  1. Download CF901.zip and CFIDE-901.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper right corner.
  3. In the update file text box, browse and select hf901-00004.jar located under CF901/lib/updates.
  4. Click Submit changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf901-00001.jar, hf901-00002.jar or hf901-00003.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all the files in CFIDE-901.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to CF901 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties.
  12. Go to CF901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion 9.0

  1. Download CF9.zip and CFIDE-9.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper right corner.
  3. In the update file text box, browse and select hf900-00005.jar located under CF9/lib/updates.
  4. Click Submit changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf900-00001.jar, hf900-00002.jar, hf900-00003.jar or hf900-00004.jar exist , delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all the files in CFIDE-9.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to CF9 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties.
  12. Go to CF9/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion 8.0.1

  1. Download CF801.zip and CFIDE-801.zip. Extract both zip files.

  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper right corner.

  3. In the update file text box, browse and select hf801-00005.jar located under CF801/lib/updates.

  4. Click Submit changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory.If hf801-00001.jar, hf801-00002.jar,hf801-00003.jar, hf801-00004.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all the files in CFIDE-801.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to CF801 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties.
  12. Go to CF801/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion 8.0

  1. Download CF8.zip and CFIDE-8.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper right corner.
  3. In the update file text box, browse and select hf800-00005.jar located under CF8/lib/updates.
  4. Click Submit changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf800-00001.jar, hf800-00002.jar, hf800-00003.jar, hf800-00004.jar, hf800-70523.jar, hf800-71471.jar, hf800-73122.jar, hf800-1875.jar, hf800-77218.jar or hf800-1878.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all the files in CFIDE-8.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to CF8 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties.
  12. Go to CF8/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion integrated/installed with LCDS (For Section 2)

Follow the instructions in the security bulletin APSB11-15 to apply the fix.

If you have upgraded after installing the hotfix

If you installed the hotfix for ColdFusion 9 or 8, and then upgraded to ColdFusion 9.0.1 or 8.0.1, respectively, apply the security hotfix for the update.

Note: For previous ColdFusion Security Hotfixes, see the Security bulletins and advisories page.

 

Note - Updated on March 29, 2012

Following bug is reported for ColdFusion 801 against this security bulletin hotfix.

  java.lang.NoSuchMethodError Exception is thrown while using cffile upload.

We have updated the hotfix files of ColdFusion 801 to include the fix for the above issue. Users who have already applied the hotfix for ColdFusion 801 can just update the hotfix jar.

 

Keywords: cpsid_93043

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy

Products

Download

Support & Learning

Buy

Company

Choose your region

Copyright © 2013 Adobe Systems Incorporated. All rights reserved.

Terms of Use | Privacy | Cookies

Reviewed by TRUSTe: site privacy statement