Issue

ColdFusion 10, ColdFusion 9.0.2, ColdFusion 9.0.1, ColdFusion 9.0, ColdFusion 8.0.1, and  ColdFusion 8 are affected with vulnerabilities mentioned in the security bulletin APSB12-21. This article provides fixes for the security issues mentioned in the bulletin along with installation instructions.

Solution

If you have applied the previous Security Hotfix APSB12-15, see Section 1. If you have not applied the previous Security Hotfix APSB12-15, see Section 2.

Follow the instructions that apply to your version of ColdFusion. Do not apply these fixes to any beta or pre-release version of ColdFusion.

Note

  1. Hot fix files contain some of the previous security hot fixes.
  2. Do not remove any jar files whose file names begin with chf.
  3. We would recommend adding getPageContext method in the SandBox to the list of disabled function as a good practice. However this is not a requirement for the protection against DoS.
  4. ColdFusion 10 update 2 is cumulative update, i.e. it will include CF 10 Update 1.

Definition for ColdFusion-Home:

In the following procedures, {ColdFusion-Home} indicates the following:

  • For Server installation: {ColdFusion-Home}
  • For Multiserver Installation:{JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
  • For J2EE installation: {cfusion-ear-Home}/cfusion-war/

Note: CFIDE.zip and WEB-INF.zip included in the hot fix contain only part of the CFIDE and WEB-INF files. Do not rename present CFIDE and WEB-INF folders, as per the instructions.

Section 1:

Use these instructions if you have previously applied Security Hotfix APSB12-15.

ColdFusion 9.0.1

  1. Download CF901jar.zip and CFIDE-hf901-00006.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the update file text box, browse and select hf901-00006.jar and click submit.
  4. Stop the ColdFusion instance.
  5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf901-00001.jar, hf901-00002.jar, hf901-00003.jar, or hf901-00004.jar, hf901-00005.jar exist, delete them. Otherwise, ignore this step.
  6. Go to {CFIDE-HOME} and take backup of {CFIDE} folder.
  7. Extract all the files in CFIDE-hf901-00006.zip to the web root directory that has {CFIDE-HOME} folder.
  8. Start the ColdFusion instance.
  9. If there are multiple instances, repeat steps 2 through 8 for each instance.

ColdFusion 9.0

  1. Download CF9jar.zip and CFIDE-hf900-00007.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the update file text box, browse and select hf900-00007.jar and click Submit.
  4. Stop the ColdFusion instance.
  5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf900-00001.jar, hf900-00002.jar, hf900-00003.jar, hf900-00004.jar, hf900-00005.jar, hf900-00006.jar exist, delete them. Otherwise, ignore this step.
  6. Go to {CFIDE-HOME} and take backup of {CFIDE} folder.
  7. Extract all the files in CFIDE-hf900-00007.zip to the web root directory that has {CFIDE-HOME} folder.
  8. Start the ColdFusion instance.
  9. If there are multiple instances, repeat steps 2 through 8 for each instance.

ColdFusion 8.0.1

  1. Download CF801jar.zip and CFIDE-hf801-00007.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the update file text box, browse and select hf801-00007.jar and click Submit.
  4. Stop the ColdFusion instance.
  5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf801-00001.jar, hf801-00002.jar, hf801-00003.jar, hf801-00004.jar, hf801-00005.jar, hf801-00006.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar, or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
  6. Go to {CFIDE-HOME} and take backup of {CFIDE} folder.
  7. Extract all the files in CFIDE-hf801-00007.zip to the web root directory that has {CFIDE-HOME} folder.
  8. Start the ColdFusion instance.
  9. If there are multiple instances, repeat steps 2 through 8 for each instance.

ColdFusion 8.0

  1. Download CF800jar.zip and CFIDE-hf800-00007.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the update file text box, browse and select hf800-00007.jar and click Submit.
  4. Stop the ColdFusion instance.
  5. Go to {ColdFusion-Home}/lib/updates (for Server Installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installation) directory. If hf800-00001.jar, hf800-00002.jar, hf800-00003.jar, hf800-00004.jar, hf800-00005.jar, hf800-00006.jar, hf800-70523.jar, hf800-71471.jar, hf800-73122.jar, hf800-1875.jar, hf800-77218.jar, or hf800-1878.jar exist, delete them. Otherwise, ignore this step.
  6. Go to {CFIDE-HOME} and take backup of {CFIDE} folder.
  7. Extract all the files in CFIDE-hf800-00007.zip to the web root directory that has {CFIDE-HOME} folder.
  8. Start the ColdFusion instance.
  9. If there are multiple instances, repeat steps 2 through 8 for each instance.

Section 2:

Use these instructions if you have not applied Security Hotfix APSB12-15.

ColdFusion 10

  1. In ColdFusion 10, use HotFix installer to apply this Hotfix. This is ColdFusion 10 update 2.

Important Note:

If you have not applied ColdFusion 10 Mandatory Update, then please apply it first in order to apply ColdFusion 10 Update 2.

ColdFusion 9.0.2

  1. Download CF902.zip and CFIDE-902.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the update file text box, browse and select hf902-00001.jar located under CF902/lib/updates.
  4. Click Submit changes.
  5. Stop the ColdFusion instance.
  6. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  7. Extract all the files in CFIDE-902.zip to the web root directory that has {CFIDE-HOME} folder.
  8. Start the ColdFusion Instance.
  9. If there are multiple instances, repeat steps 2 through 8 for each instance.

ColdFusion 9.0.1

  1. Download CF901.zip and CFIDE-901.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the update file text box, browse and select hf901-00006.jar located under CF901/lib/updates.
  4. Click Submit changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf901-00001.jar, hf901-00002.jar, hf901-00003.jar, or hf901-00004.jar, hf901-00005.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all the files in CFIDE-901.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to CF901 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
  12. Go to CF901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion 9.0

  1. Download CF9.zip and CFIDE-9.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the update file text box, browse and select hf900-00007.jar located under CF9/lib/updates.
  4. Click Submit changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf900-00001.jar, hf900-00002.jar, hf900-00003.jar, hf900-00004.jar, or hf900-00005.jar, hf900-00006.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all the files in CFIDE-9.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to CF9 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
  12. Go to CF9/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion 8.0.1

  1. Download CF801.zip and CFIDE-801.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the update file text box, browse and select hf801-00007.jar located under CF801/lib/updates.
  4. Click Submit changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf801-00001.jar, hf801-00002.jar, hf801-00003.jar, hf801-00004.jar, hf801-00005.jar, hf801-00006.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar, or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all the files in CFIDE-801.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to CF801 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
  12. Go to CF801/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion 8.0

  1. Download CF8.zip and CFIDE-8.zip. Extract both zip files.
  2. In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the update file text box, browse and select hf800-00007.jar located under CF8/lib/updates.
  4. Click Submit changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf800-00001.jar, hf800-00002.jar, hf800-00003.jar, hf800-00004.jar, hf800-00005.jar, hf800-00006.jar hf800-70523.jar, hf800-71471.jar, hf800-73122.jar, hf800-1875.jar, hf800-77218.jar, or hf800-1878.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Extract all the files in CFIDE-8.zip to the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to CF8 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
  12. Go to CF8/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion integrated/installed with LCDS (For Section 2)

Follow the instructions in the security bulletin APSB11-15 to apply the fix.

Upgrading after installing the hot fix

If you installed the hot fix for ColdFusion 9 or 8, and then upgraded to ColdFusion 9.0.1 or 8.0.1, respectively, apply the security hot fix for the update.

Note:

For previous ColdFusion Security hot fixes, see the Security bulletins and advisories page.

Notes

This is last security fix for ColdFusion 8 and ColdFusion 8.0.1. For more information, visit: End of Core Support.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy