Issue

ColdFusion 9.0.1, ColdFusion 9, ColdFusion 8.0.1, and ColdFusion 8 are affected with vulnerabilities mentioned in the security bulletins APSB11-14 and APSB11-15. This TechNote provides fixes for the security issues mentioned in both the bulletins along with the installation instructions.

Note – Updated on Spetember 16 2011
A new issue was found with the security hot fix released with this TechNote. Applying the security hot fix causes ColdFusion to throw session is invalid errors randomly if the J2EE sessions are enabled.

Adobe has updated the hot fix files to include the fixes for the above issue. There are also additional instructions to apply the fix for the above issue only.

  • Customers who have already applied the security hot fix, go here to apply the individual fix for this issue. Apply this fix after applying the fix released on July 26.
  • Customers, who have not applied the security hot fix, follow the instructions to apply the complete fix.

Note - Updated on July 20 2011
Following bugs were reported against this security bulletin hot fix

    1. Verify Data sources functionality broken for all ColdFusion versions.
    2. Build number is missing for CF801
    3. Thunbs.db file is present in some hot-fix zips.

Adobe has updated the hot fix files to include the fixes for the above issues and have also added additional instructions to apply the fix for the above issues only.

  • Customers who have already applied the security hot fix, go here to apply the additional fix.
  • Customers who have not applied the security hot fix, follow the instructions below. Hot fix files include the fixes for the above issues.

Solution

  1. Hot fix files contain some of the previous security hot fixes.

  2. CSRF protection requires that SessionManagement is enabled. If Session Variables are disabled from Administrator Console, CSRF protection is disabled.
  3. If ColdFusion throws an exception "java.io.FileNotFoundException: ../logs/esapiconfig.log" after applying the hot fix, go to <ColdFusion-Home>/lib/log4j.properties and update absolute path for "esapiconfig.log".

Definition of ColdFusion-Home

In the following procedures, {ColdFusion-Home} indicates the following:

  • For Server installation: {ColdFusion-Home}
  • For Multiserver installation: {JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
  • For J2EE installation: {cfusion-ear-Home}/cfusion-war/

Note: CFIDE.zip and WEB-INF.zip included in the hot fix contains only part of the CFIDE and WEB-INF files. Do not rename present CFIDE or WEB-INF folders to create a backup as per the instructions.

ColdFusion 9.0.1

  1. Download CF901.zip and CFIDE-901.zip.  Extract CF901.zip.  All the files are extracted to cf901 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File text box, browse and select hf901-00002.jar located under CF901/lib/updates directory.
  4. Click Submit Changes.
  5. Stop ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf901-00001.jar exists, delete it. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all files in CFIDE-901.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to cf901 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory. Make a backup of these files if present: commons-fileupload-1.2.jar, ESAPI.properties, esapi-2.0_rc10.jar, log4j.properties, validation.properties, flex-messaging-common.jar, and flex-messaging-core.jar files.
  12. Go to cf901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver and J2EE installations) directory.
  13. Start a ColdFusion instance.
  14. If there are multiple instances, repeat steps 2 through13 for each of the instances.

ColdFusion 9

  1. Download CF9.zip and CFIDE-9.zip.  Extract CF9.zip.  All the files are extracted to cf9 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File text box, browse and select hf900-00003.jar located under CF9/lib/updates directory.
  4. Click Submit Changes.
  5. Stop ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory and if hf900-00001.jar or hf900-00002.jar exists, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all files in CFIDE-9.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to cf9 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory. Make a backup of these files if present: commons-fileupload-1.2.jar, ESAPI.properties, esapi-2.0_rc10.jar, log4j.properties, validation.properties, flex-messaging-common.jar, and flex-messaging-core.jar files.
  12. Go to cf9/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
  13.   Start a ColdFusion instance.
  14.   f there are multiple instances, repeat steps 2 through 13 for each of the instances.

ColdFusion 8.0.1

  1. Download CF801.zip and CFIDE-801.zip.  Extract CF801.zip.  All the files are extracted to cf801 directory.
  2.  In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File text box, browse and select hf801-00003.jar located under CF801/lib/updates directory.
  4. Click Submit Changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf801-00001.jar, hf801-00002.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar, or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all files in CFIDE-801.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to cf801 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory. Make a backup of these files if present: commons-fileupload-1.2.jar, ESAPI.properties, ESAPI-1.4.4.jar, log4j.properties, antisamy-1.3-20091014.183120-2.jar, flex-messaging-common.jar, and flex-messaging.jar files.
  12. Go to cf801/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
  13. Start a ColdFusion instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each of the instances.

ColdFusion 8

  1. Download CF8.zip and CFIDE-8.zip.  Extract CF8.zip.  All the files are extracted to cf8 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File text box, browse and select hf800-00003.jar located under CF8/lib/updates directory.
  4. Click Submit Changes.
  5.  Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf800-00001.jar, hf800-00002.jar, hf800-70523.jar, hf800-71471.jar, hf800-73122.jar, hf800-1875.jar, hf800-77218.jar, or hf800-1878.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8.  Extract all files in CFIDE-8.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to cf8 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory. Make a backup of these files if present: commons-fileupload-1.2.jar, ESAPI.properties, ESAPI-1.4.4.jar, log4j.properties, antisamy-1.3-20091014.183120-2.jar, flex-messaging-common.jar, and flex-messaging.jar files.
  12. Go to cf8/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
  13. Start a ColdFusion instance.
  14.  If there are multiple instances, repeat steps 2 through 13 for each of the instances.

ColdFusion integrated/installed with LCDS 

Follow the instructions in the security bulletin APSB11-15 to apply the fix.

Instructions to apply the fix for the new issues 

 ColdFusion 9.0.x
    1. For ColdFusion 9.0.1, download cf901-update.zip. For ColdFusion 9.0, download cf9-update.zip.
    2. Make backup of index.cfm at {CFIDE-HOME}/administrator/datasources.
    3. Extract index.cfm present in the downloaded hot fix to {CFIDE-HOME}/administrator/datasources.

ColdFusion 8.0.1
    1. Download cf801-update.zip. Extract the files to a directory.
    2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf801-00003.jar. If hf801-00003.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
    3. Copy downloaded file lib/updates/hf801-00003.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory
    4. Make backup of index.cfm at {CFIDE-HOME}/administrator/datasources.
    5. Copy downloaded index.cfm to {CFIDE-HOME}/administrator/datasources.
    6. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.

ColdFusion 8.0
    1. Download cf8-update.zip. Extract the files to a directory.
    2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf800-00003.jar. If hf800-00003.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
    3. Copy downloaded file lib/updates/hf800-00003.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory
    4. Make backup of index.cfm at {CFIDE-HOME}/administrator/datasources.
    5. Copy downloaded index.cfm to {CFIDE-HOME}/administrator/datasources.
    6. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.
 

Instructions to apply the session invalid fix

ColdFusion 9.0.1
    1. Download cf901-update1.zip. Extract the files to a directory.
    2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf901-00002.jar. If hf901-00002.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
    3. Copy downloaded file lib/updates/hf901-00002.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory  
    4. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.

ColdFusion 9
    1. Download cf9-update1.zip. Extract the files to a directory.
    2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf900-00003.jar. If hf900-00003.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
    3. Copy downloaded file lib/updates/ hf900-00003.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory  
    4. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.

ColdFusion 8.0.1
    1. Download cf801-update1.zip. Extract the files to a directory.
    2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf801-00003.jar. If hf801-00003.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
    3. Copy downloaded file lib/updates/hf801-00003.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory  
    4. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.

ColdFusion 8
    1. Download cf8-update1.zip. Extract the files to a directory.
    2. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. Delete hf800-00003.jar. If hf800-00003.jar is not present, it's possible that the patch isn't applied yet. Follow the instructions to apply the complete fix.
    3. Copy downloaded file lib/updates/hf800-00003.jar to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory
    4. Restart ColdFusion instance. If there are multiple instances, repeat the steps above for each instance.

If you have upgraded after installing the hot fix

 If you installed the hot fix for ColdFusion 9 or ColdFusion 8 and then upgraded (to ColdFusion 9.0.1 or ColdFusion 8.0.1), ensure that you apply the security hot fix for the update.

Note: Previous ColdFusion Security hot fixes - Security bulletins and advisories page

 

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy