ColdFusion Security hotfix APSB13-03

Adobe Community Help


Products Affected

 

Issue

ColdFusion 10, ColdFusion 9.0.2, ColdFusion 9.0.1, and ColdFusion 9.0 are affected with the vulnerabilities mentioned in the security bulletin APSB13-03. This article provides fixes for the security issues mentioned in the bulletin, along with the installation instructions.

Solution

Note

  1. This hotfix will disable RDS by default. To enable it, check the RDS Service flag.          
    1. The RDS Service flag is an addition to the ColdFusion Administrator UI (to invoke, click Administrator > Security > RDS).
    2. Since RDS is a development service, it is not recommended to enable it on the production and/or public-facing servers. If RDS is enabled, password protection should also be set.
    3. To Enable RDS, ensure that the RDSServlet related configurations are not commented in the web.xml file.
  2. This hotfix will add restrictions such that only .txt and .log files can be used to save output of a scheduled task or probe using the Administrator and Admin API. In case if you want to change it to allow more file extensions, go to {ColdFusion-Home}/lib/neo-cron.xml, find the <string>txt,log</string> and replace it with the required extensions (example:<string>html,txt</string>).
  3. Lockdown the server for external access to some of the administrative applications. Details of the same can be found at ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.
  4. See important security hotfix-related notes published in previous security hotfixes here.

ColdFusion 10

In ColdFusion 10, use the hot fix installer to apply this update (ColdFusion 10 Update 7). The ColdFusion 10 Update 7 is a cumulative update. That is, it includes all the bug fixes from the previous updates of ColdFusion 10.

Important Note:

If you have not applied the ColdFusion 10 Mandatory Update, then apply it first to apply this update.

ColdFusion 9

Follow the instructions that apply to your version of ColdFusion. Do not apply these fixes to any beta or prerelease version of ColdFusion.

Definition for ColdFusion-Home:

In the following deployment options, {ColdFusion-Home} indicates the following:

  • For Server installation: {ColdFusion-Home}
  • For Multiserver Installation:{JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
  • For J2EE installation: {cfusion-ear-Home}/cfusion-war/

Note

  1. Hotfix files contain some of the previous security hotfixes.
  2. In ColdFusion 9.0.x, do not remove any jar files that begin with chf from {ColdFusion-Home}/lib/updates folder.
  3. CFIDE.zip and WEB-INF.zip included in the hotfix contain only part of the CFIDE and WEB-INF files. Do not rename present CFIDE and WEB-INF folders.

ColdFusion 9.0.2

  1. Download CF902.zip and CFIDE-902.zip. Extract both zip files.
  2. In ColdFusion Administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the "Update File" text box, browse and select hf902-00003.jar located under CF902/lib/updates.
  4. Click Submit Changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf902-00001.jar, hf902-00002.jar exist, delete it. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and take a backup of CFIDE folder.
  8. Extract all the files in CFIDE-902.zip to merge in the web root directory that has {CFIDE-HOME} folder.
  9. Start the ColdFusion Instance.
  10. If there are multiple instances, repeat steps 2 through 9 for each instance.

ColdFusion 9.0.1

  1. Download CF901.zip and CFIDE-901.zip. Extract both zip files.
  2. In ColdFusion Administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the "Update File" text box, browse and select hf901-00008.jar located under CF901/lib/updates.
  4. Click Submit Changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf901-00001.jar, hf901-00002.jar, hf901-00003.jar, hf901-00004.jar, hf901-00005.jar, hf901-00006.jar, hf901-00007.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and take a backup of CFIDE folder.
  8. Extract all the files in CFIDE-901.zip to merge in the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and take a backup of WEB-INF folder.
  10. Go to CF901 directory and extract all the files in WEB-INF.zip to merge in {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
  12. Go to CF901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion 9.0

  1. Download CF9.zip and CFIDE-9.zip. Extract both zip files.
  2. In ColdFusion Administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the "Update File" text box, browse and select hf900-00009.jar located under CF9/lib/updates.
  4. Click Submit Changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf900-00001.jar, hf900-00002.jar, hf900-00003.jar, hf900-00004.jar, or hf900-00005.jar, hf900-00006.jar, hf900-00007.jar, hf900-00008.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and take a backup of CFIDE folder.
  8. Extract all the files in CFIDE-9.zip to merge in the web root directory that has {CFIDE-HOME} folder.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and take a backup of WEB-INF folder.
  10. Go to CF9 directory and extract all the files in WEB-INF.zip to merge in {ColdFusion-Home}/wwwroot (for Server Install) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install) and take a backup of log4j.properties, flex-messaging-common.jar, flex-messaging-core.jar.
  12. Go to CF9/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server Install) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE install).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion integrated/Installed with LCDS

Follow the instructions in the security bulletin APSB11-15 to apply the fix.

Upgrading after installing the hotfix

If you have installed the hot fix for ColdFusion 9, and upgraded to ColdFusion 9.0.1, then apply the security hot fix for the update.

Note:

For previous ColdFusion security hotfixes, see the Security bulletins and advisories page.

Revisions:

January 15, 2013:  Instructions updated for ColdFusion 9.0.2.

June 26, 2013: Added note #4 in the note section.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy

Choose your region    Products   Downloads   Learn & Support   Company

Copyright © 2016 Adobe Systems Incorporated. All rights reserved.

Terms of Use | Privacy | Cookies