Hot fix files contain some of the previous security hot fixes.
ColdFusion 9.0.1, ColdFusion 9, ColdFusion 8.0.1, and ColdFusion 8 are affected with vulnerabilities mentioned in the security bulletins APSB11-14 and APSB11-15. This TechNote provides fixes for the security issues mentioned in both the bulletins along with the installation instructions.
Note – Updated on Spetember 16 2011
A new issue was found with the security hot fix released with this TechNote. Applying the security hot fix causes ColdFusion to throw session is invalid errors randomly if the J2EE sessions are enabled.
Adobe has updated the hot fix files to include the fixes for the above issue. There are also additional instructions to apply the fix for the above issue only.
Note - Updated on July 20 2011
Following bugs were reported against this security bulletin hot fix
1. Verify Data sources functionality broken for all ColdFusion versions.
2. Build number is missing for CF801
3. Thunbs.db file is present in some hot-fix zips.
Adobe has updated the hot fix files to include the fixes for the above issues and have also added additional instructions to apply the fix for the above issues only.
Hot fix files contain some of the previous security hot fixes.
In the following procedures, {ColdFusion-Home} indicates the following:
Note: CFIDE.zip and WEB-INF.zip included in the hot fix contains only part of the CFIDE and WEB-INF files. Do not rename present CFIDE or WEB-INF folders to create a backup as per the instructions.
Follow the instructions in the security bulletin APSB11-15 to apply the fix.
ColdFusion 9.0.x
1. For ColdFusion 9.0.1, download cf901-update.zip. For ColdFusion 9.0, download cf9-update.zip.
2. Make backup of index.cfm at {CFIDE-HOME}/administrator/datasources.
3. Extract index.cfm present in the downloaded hot fix to {CFIDE-HOME}/administrator/datasources.
ColdFusion 8.0.1
1. Download cf801-update.zip. Extract the files to a directory.
2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf801-00003.jar. If hf801-00003.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
3. Copy downloaded file lib/updates/hf801-00003.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory
4. Make backup of index.cfm at {CFIDE-HOME}/administrator/datasources.
5. Copy downloaded index.cfm to {CFIDE-HOME}/administrator/datasources.
6. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.
ColdFusion 8.0
1. Download cf8-update.zip. Extract the files to a directory.
2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf800-00003.jar. If hf800-00003.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
3. Copy downloaded file lib/updates/hf800-00003.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory
4. Make backup of index.cfm at {CFIDE-HOME}/administrator/datasources.
5. Copy downloaded index.cfm to {CFIDE-HOME}/administrator/datasources.
6. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.
ColdFusion 9.0.1
1. Download cf901-update1.zip. Extract the files to a directory.
2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf901-00002.jar. If hf901-00002.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
3. Copy downloaded file lib/updates/hf901-00002.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory
4. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.
ColdFusion 9
1. Download cf9-update1.zip. Extract the files to a directory.
2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf900-00003.jar. If hf900-00003.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
3. Copy downloaded file lib/updates/ hf900-00003.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory
4. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.
ColdFusion 8.0.1
1. Download cf801-update1.zip. Extract the files to a directory.
2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf801-00003.jar. If hf801-00003.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
3. Copy downloaded file lib/updates/hf801-00003.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory
4. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.
ColdFusion 8
1. Download cf8-update1.zip. Extract the files to a directory.
2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf800-00003.jar. If hf800-00003.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
3. Copy downloaded file lib/updates/hf800-00003.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory
4. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.
If you installed the hot fix for ColdFusion 9 or ColdFusion 8 and then upgraded (to ColdFusion 9.0.1 or ColdFusion 8.0.1), ensure that you apply the security hot fix for the update.
Note: Previous ColdFusion Security hot fixes - Security bulletins and advisories page
Sign in to your account