Issue
ColdFusion 10, ColdFusion 9.0.2, ColdFusion 9.0.1, ColdFusion 9.0, ColdFusion 8.0.1, and ColdFusion 8 are affected with vulnerabilities mentioned in the security bulletin APSB12-21. This article provides fixes for the security issues mentioned in the bulletin along with installation instructions.
Solution
Note
- Hot fix files contain some of the previous security hot fixes.
- Do not remove any jar files whose file names begin with chf.
- We would recommend adding getPageContext method in the SandBox to the list of disabled function as a good practice. However this is not a requirement for the protection against DoS.
- ColdFusion 10 update 2 is cumulative update, i.e. it will include CF 10 Update 1.
Definition for ColdFusion-Home:
In the following procedures, {ColdFusion-Home} indicates the following:
- For Server installation: {ColdFusion-Home}
- For Multiserver Installation:{JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
- For J2EE installation: {cfusion-ear-Home}/cfusion-war/
Note: CFIDE.zip and WEB-INF.zip included in the hot fix contain only part of the CFIDE and WEB-INF files. Do not rename present CFIDE and WEB-INF folders, as per the instructions.
Section 1:
Use these instructions if you have previously applied Security Hotfix APSB12-15.
ColdFusion 9.0.1
- Download CF901jar.zip and CFIDE-hf901-00006.zip. Extract both zip files.
- In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
- In the update file text box, browse and select hf901-00006.jar and click submit.
- Stop the ColdFusion instance.
- Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf901-00001.jar, hf901-00002.jar, hf901-00003.jar, or hf901-00004.jar, hf901-00005.jar exist, delete them. Otherwise, ignore this step.
- Go to {CFIDE-HOME} and take backup of {CFIDE} folder.
- Extract all the files in CFIDE-hf901-00006.zip to the web root directory that has {CFIDE-HOME} folder.
- Start the ColdFusion instance.
- If there are multiple instances, repeat steps 2 through 8 for each instance.
ColdFusion 9.0
- Download CF9jar.zip and CFIDE-hf900-00007.zip. Extract both zip files.
- In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
- In the update file text box, browse and select hf900-00007.jar and click Submit.
- Stop the ColdFusion instance.
- Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf900-00001.jar, hf900-00002.jar, hf900-00003.jar, hf900-00004.jar, hf900-00005.jar, hf900-00006.jar exist, delete them. Otherwise, ignore this step.
- Go to {CFIDE-HOME} and take backup of {CFIDE} folder.
- Extract all the files in CFIDE-hf900-00007.zip to the web root directory that has {CFIDE-HOME} folder.
- Start the ColdFusion instance.
- If there are multiple instances, repeat steps 2 through 8 for each instance.
ColdFusion 8.0.1
- Download CF801jar.zip and CFIDE-hf801-00007.zip. Extract both zip files.
- In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
- In the update file text box, browse and select hf801-00007.jar and click Submit.
- Stop the ColdFusion instance.
- Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf801-00001.jar, hf801-00002.jar, hf801-00003.jar, hf801-00004.jar, hf801-00005.jar, hf801-00006.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar, or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
- Go to {CFIDE-HOME} and take backup of {CFIDE} folder.
- Extract all the files in CFIDE-hf801-00007.zip to the web root directory that has {CFIDE-HOME} folder.
- Start the ColdFusion instance.
- If there are multiple instances, repeat steps 2 through 8 for each instance.
ColdFusion 8.0
- Download CF800jar.zip and CFIDE-hf800-00007.zip. Extract both zip files.
- In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
- In the update file text box, browse and select hf800-00007.jar and click Submit.
- Stop the ColdFusion instance.
- Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf800-00001.jar, hf800-00002.jar, hf800-00003.jar, hf800-00004.jar, hf800-00005.jar, hf800-00006.jar, hf800-70523.jar, hf800-71471.jar, hf800-73122.jar, hf800-1875.jar, hf800-77218.jar, or hf800-1878.jar exist, delete them. Otherwise, ignore this step.
- Go to {CFIDE-HOME} and take backup of {CFIDE} folder.
- Extract all the files in CFIDE-hf800-00007.zip to the web root directory that has {CFIDE-HOME} folder.
- Start the ColdFusion instance.
- If there are multiple instances, repeat steps 2 through 8 for each instance.
Section 2:
Use these instructions if you have not applied Security Hotfix APSB12-15.
ColdFusion 10
- In ColdFusion 10, use HotFix installer to apply this Hotfix. This is ColdFusion 10 update 2.
Important Note:
If you have not applied ColdFusion 10 Mandatory Update, then please apply it first in order to apply ColdFusion 10 Update 2.
ColdFusion 9.0.2
- Download CF902.zip and CFIDE-902.zip. Extract both zip files.
- In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
- In the update file text box, browse and select hf902-00001.jar located under CF902/lib/updates.
- Click Submit changes.
- Stop the ColdFusion instance.
- Go to {CFIDE-HOME} and make a backup of CFIDE folder.
- Extract all the files in CFIDE-902.zip to the web root directory that has {CFIDE-HOME} folder.
- Start the ColdFusion Instance.
- If there are multiple instances, repeat steps 2 through 8 for each instance.
ColdFusion 9.0.1
- Download CF901.zip and CFIDE-901.zip. Extract both zip files.
- In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
- In the update file text box, browse and select hf901-00006.jar located under CF901/lib/updates.
- Click Submit changes.
- Stop the ColdFusion instance.
- Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf901-00001.jar, hf901-00002.jar, hf901-00003.jar, or hf901-00004.jar, hf901-00005.jar exist, delete them. Otherwise, ignore this step.
- Go to {CFIDE-HOME} and make a backup of CFIDE folder.
- Extract all the files in CFIDE-901.zip to the web root directory that has {CFIDE-HOME} folder.
- Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
- Go to CF901 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
- Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
- Go to CF901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
- Start the ColdFusion Instance.
- If there are multiple instances, repeat steps 2 through 13 for each instance.
ColdFusion 9.0
- Download CF9.zip and CFIDE-9.zip. Extract both zip files.
- In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
- In the update file text box, browse and select hf900-00007.jar located under CF9/lib/updates.
- Click Submit changes.
- Stop the ColdFusion instance.
- Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf900-00001.jar, hf900-00002.jar, hf900-00003.jar, hf900-00004.jar, or hf900-00005.jar, hf900-00006.jar exist, delete them. Otherwise, ignore this step.
- Go to {CFIDE-HOME} and make a backup of CFIDE folder.
- Extract all the files in CFIDE-9.zip to the web root directory that has {CFIDE-HOME} folder.
- Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
- Go to CF9 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
- Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
- Go to CF9/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
- Start the ColdFusion Instance.
- If there are multiple instances, repeat steps 2 through 13 for each instance.
ColdFusion 8.0.1
- Download CF801.zip and CFIDE-801.zip. Extract both zip files.
- In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
- In the update file text box, browse and select hf801-00007.jar located under CF801/lib/updates.
- Click Submit changes.
- Stop the ColdFusion instance.
- Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf801-00001.jar, hf801-00002.jar, hf801-00003.jar, hf801-00004.jar, hf801-00005.jar, hf801-00006.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar, or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
- Go to {CFIDE-HOME} and make a backup of CFIDE folder.
- Extract all the files in CFIDE-801.zip to the web root directory that has {CFIDE-HOME} folder.
- Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
- Go to CF801 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
- Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
- Go to CF801/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
- Start the ColdFusion Instance.
- If there are multiple instances, repeat steps 2 through 13 for each instance.
ColdFusion 8.0
- Download CF8.zip and CFIDE-8.zip. Extract both zip files.
- In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
- In the update file text box, browse and select hf800-00007.jar located under CF8/lib/updates.
- Click Submit changes.
- Stop the ColdFusion instance.
- Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf800-00001.jar, hf800-00002.jar, hf800-00003.jar, hf800-00004.jar, hf800-00005.jar, hf800-00006.jar hf800-70523.jar, hf800-71471.jar, hf800-73122.jar, hf800-1875.jar, hf800-77218.jar, or hf800-1878.jar exist, delete them. Otherwise, ignore this step.
- Go to {CFIDE-HOME} and make a backup of CFIDE folder.
- Extract all the files in CFIDE-8.zip to the web root directory that has {CFIDE-HOME} folder.
- Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
- Go to CF8 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
- Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
- Go to CF8/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
- Start the ColdFusion Instance.
- If there are multiple instances, repeat steps 2 through 13 for each instance.
ColdFusion integrated/installed with LCDS (For Section 2)
Follow the instructions in the security bulletin APSB11-15 to apply the fix.
Upgrading after installing the hot fix
If you installed the hot fix for ColdFusion 9 or 8, and then upgraded to ColdFusion 9.0.1 or 8.0.1, respectively, apply the security hot fix for the update.
Note:
For previous ColdFusion Security hot fixes, see the Security bulletins and advisories page.
Notes
This is last security fix for ColdFusion 8 and ColdFusion 8.0.1. For more information, visit: End of Core Support.
Sign in to your account