Issue

The following fixes are contained in ColdFusion 8.0.1 Cumulative Hot Fix 4 (CHF4). Adobe recommends that you apply CHF4 to ColdFusion 8.0.1 only if you are experiencing one or more of the issues listed below. This cumulative hot fix is specific to ColdFusion 8.0.1 and isn't meant to be applied to any other releases. 

Note: Changed Date 12/07/2009. Added more information regarding Security fixes

Note: Changed Date 08/29/2011. Added correct download for hf801-71471.zip to the TechNote. 

Bug ID Description Added in Cumulative Hot Fix
79527 Fix for inconsistent behavior when using ColdFusion date functions along with cfthread tag. 4
79409 Fix for error “Missing dbvarname attribute” thrown when subset of the cfprocparam dbvarname values are provided. 4
79365 Fix for ColdFusion randomly leaving behind “ColdFusionReport subreport filler” threads in suspended state.  4
79287 Fix for ColdFusion displaying garbled text when using cfftp listdir to display multibyte named files. 4
78646 Fix for the security vulnerability with ColdFusion accepting the CFID/CFTOKEN provided by the user to create a session. 4
77218 Fix for the security vulnerability with fckeditor when the scripts directory is accessible to users. 4
61934 Fix for error "Document has no pages" thrown when cfreport encryption attribute is set to 128 bit or 40 bit. 3
70580 Added support for serialization of Array, Datetime, Query, and Java objects in CFCs. 3
72657 Fix for retrieving form variables when using multibyte characters in a flash grid. 3
72973 Added support for multipart/related content-type, sometimes used with Google and YouTube API.  3
72563 Fix for a ClassCastException thrown when using <cfqueryparam> with a JNDI data source configured with a JDBC driver that supports auto generated keys. 3
73761 Fix for the error "Cannot find CFML template for custom tag" thrown under load when using THIS.customtagpath in application.cfc and "enable per app settings" is enabled. 3
74518 Fix for the error "OALL8 is in an inconsistent state" thrown when inserting CLOB data using Oracle thin driver and the Oracle property CURSOR_SHARING is set to SIMILAR. 3
74840 Fix for global script protection setting to function correctly when application.cfc or application.cfm are absent. 3
74297 Fix for error 440 status thrown when connecting to Exchange server 2007 using cfexchangeconnection with attribute formbasedauthentication enabled. 3
74298 Fix for cfexchangemail when setting properties for e-mail messages that contain special characters such as ^, {,}, '  in the subject. 3
75815 Fix for error "Requested Exchange resource was not found on the server" thrown when retrieving an attachment for e-mails containing special characters in the subject using cfexchangemail. 3
75033 Fix for error "ORA-00933: SQL command not properly ended" thrown when using ColdFusion Oracle OCI data source with certain insert statement. 3
75689 Fix for error "java.lang.NoClassDefFoundError: Could not initialize class coldfusion.runtime.report.Report" thrown when requesting reports within a sandbox. 3
75691 Fix for possible occurrences of Java Deadlock when server monitor profiling is enabled. 3
75676 Fix for error "The input and output encodings are not same" thrown when decrypting an encrypted string using CFMX_COMPAT. 3
76556 Fix for CFSTAT Pg/Sec column to not show negative values with ColdFusion 8 server install. 3
77029 Fix for GetFileFromPath() to return the full path and filename instead of just the filename if ColdFusion server is running on a UNIX platform and the input path is in Windows path format. 3
77508 Fix for making ColdFusion server look for the CFCs called as a web service in the web root along with mappings. This issue was introduced with chf 2. 3
72744 Fix for CFHTTP making disable deflate as true by default in the header when ColdFusion sends an HTTP request, since the CFHTTP client does not handle compression. 2
72641 Fix for memory leaks with CFCs stored in memory scopes. Note: This fix does not eliminate the need for proper use of VAR scope in CFC methods. 2
71888 Fix for cffile/upload issues not handling large files due to file size limit being coded as a Java Int.   2
71899 Fix for "access denied" error thrown when Sandbox Security is enabled and using ColdFusion tags including CFImage and CFPresentation. 2
71975 Fix for using CFPDF tag to process DDX when Sandbox Security is enabled causes a 500 error "java.lang.NoClassDefFoundError: Could not initialize class com.adobe.internal.ddxm.io.Document". 2
71787 Fix for "Object Instantiation Exception" thrown when calling a Java object constructor or method with a null argument under JDK 1.6. 2
71879 Fix for "StringIndexOutOfBoundsException: String index out of range" when URL is passed as an argument to a CFC method. 2
71857 Fix for "access denied" errors being thrown with CustomTags when Sandbox Security is activated in ColdFusion 8.01. 2
71800 Fix for spooled CFMail with attachments failing with "invalid spool file" error. 2
70839 Fix for title for dynamic grid not working when collapsible="true" 2
71664 Fix for Cffile/write to a full drive failing silently - no error thrown. A 0-byte file is created, but no content is added. 2
71634 Fix for several formatting issues with CFMenu. 2
71648 Fix returning behavior of symbolic links to cfm pages on Linux to behave as they did in ColdFusion 5 and earlier. That is, to have ColdFusion pickup application.cfm in the directory where the link is created and not where the physical file lives. 2
71630 Fix for display issues with HTML cfgrid in ColdFusion 8.0.1. 2
71362 ColdFusion run against a 64-bit Apache web server on UNIX, Linux, and Mac OS throws java.lang.ArithmeticException: / by zero error. 1
71588 Fix for file operation errors when cfftp tag is called without the connection attribute. 1
71606 Fix for ignored attributes in cftooltip tag. 1
71633 Fix for cfmenu TYPE attribute value of 'vertical' or 'horizontal' case sensitivity. 1

 Solution

Use the ColdFusion 8 Administrator to install cumulative hot fixes. The installation process is the same for all platforms and installation choices.

Note: This cumulative hotfix does not include all the security fixes. See Additional Security Fixes Information for more information.

Before you install the hot fixes:

Stop the ColdFusion Application Server and delete all/any hot fix jar files from cf_root/lib/updates directory (server install) or {cfusion-ear-home}/cfusion-war/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installs). Remove the following: 

  • Any previously installed individual fixes that are now contained in this cumulative hot fix.
  • Any previously installed cumulative hot fixes.

Installing the hot fixes

  1. Download chf8010004.zip and do the following:
    1. Extract chf8010004.jar and cfmx_bootstrap.jar.
    2. Open the ColdFusion 8 Administrator and select the System Information page.
    3. Click Browse next to the Update File box, and then browse to the extracted file chf8010004.jar. Select the file, and then click Submit.
    4. Stop all the ColdFusion instances.
    5. Make a backup of cfmx_bootstrap.jar at {Coldfusion-Home}/wwwroot/WEB-INF/lib (server install) or {cfusion-ear-home}/cfusion-war/WEB-INF/lib (Multiserver and J2EE installs).
    6. Replace cfmx_bootstrap.jar with the downloaded cfmx_bootstrap.jar.
  2. (Applies only if you are using JDK 1.5, else ignore the step) Do the following:
    1. Download hf801-71975.zip and extract the hf801-71975.jar file to cfusion\lib\updates.

      Download

    2. Download hf801-71557.zip and do the following:
      • Extract hf801-71557.jar to cfusion\lib\updates.
      • Extract metadata-extractor-2.3.1.ja to {Coldfusion-Home}/lib (server install) or {cfusion-ear-home}/cfusion-war/WEB-INF/cfusion/lib (Multiserver and J2EE installs).
  3. (Optional) If you want to install the security fixes, perform the steps provided in the section Additional Security Fixes Information.
  4. After placing the files in the respective folders, restart all the ColdFusion instances.

Note: Instead of substeps 3, and 4 (in step 1) where you use ColdFusion Administrator, you can perform the updates manually. To do the steps manually, stop all ColdFusion instances. Then, copy chf8010004.jar to the cf_root/lib/updates directory (server install) or {cfusion-ear-home}/cfusion-war/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installs). Then, continue with substep 5.

You do not need to keep the ColdFusion 8.0.1 cumulative hot fix JAR file after installing it with the ColdFusion Administrator. The file has been copied to the correct location.

The ColdFusion 8.0.1 cumulative hot fix JAR file appears as a new entry in the System Information list.

ColdFusion hot fix jars are uninstalled by stopping the ColdFusion application server and deleting the respective jars from cf_root/lib/updates.

 

Additional Security Fixes Information

Note: See http://www.adobe.com/support/security/#coldfusion to make sure that you have installed any security updates that were released since this document was last updated.

Cumulative Hot fix 4 contains the fixes provided as hot fix jars and does not contain hot fix files related to CFIDE, Connector, and JRun admin. Therefore, to install the security hot fixes:

Security hot fix

  • Download hf801-71471.zip and extract hf801-71471.jar to cfusion\lib\updates.

Apply the following three hot fixes after stopping the ColdFusion server:

Hot fix 1

  1. Take a backup of /CFIDE/scripts/ajax/FCKeditor folder outside the webroot.
  2. Download and unzip the provided CFIDE.zip file.
  3. Merge the unzipped CFIDE folder with the existing CFIDE at the webroot, overwriting the files in the existing CFIDE folder when prompted.
  4. Delete the files cf5_upload.cfm and cf5_connector.cfm from the following location: cfwebroot\CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm.

With a MultiServer installation, apply this hot fix to all ColdFusion server instances. If there are multiple CFIDE directories, update all of them properly.

Hot fix applied is installed in the cf_root\lib\updates for standard install and Cfusion-ear/Cfusion-war/WEB-INF/cfusion/lib/updates for J2EE and multiserver install. The hot fix hf801-77218.jar file appears  as a new entry in the System Information classpath list and also in the Update Level field. In cfwebroot/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/Config.cfm file, confirm that Config.Enabled is set to false.

Hot fix 2

  1. Download the CFIDE-8.0.1.zip from the location CVE-2009-1875 Hotfix for ColdFusion 8.0.1.
  2. Take a backup of Application.cfm and index.cfm in <cfwebroot>\CFIDE\administrator.
  3. From the downloaded CFIDE, copy the Application.cfm and index.cfm from CF8.0.1\CFIDE\administrator to <cfwebroot>\CFIDE\administrator. 

Hot fix 3

An update for ColdFusion resolves a cross-site scripting vulnerability that could potentially lead to code execution (CVE-2009-1872 and CVE-2009-1877).

  1. Download the CFIDE-8.0.1.zip from the location CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 8.0.1.
  2. Stop the ColdFusion server.
  3. Take a backup of cf_debugFr.cfm in <cfwebroot>\CFIDE\debug\ and _logintowizard.cfm in <cfwebroot>\CFIDE\wizards\common.
  4. From the downloaded CFIDE, copy cf_debugFr.cfm to <cfwebroot>\CFIDE\debug\ and _logintowizard.cfm to <cfwebroot>\CFIDE\wizards\common.

After applying the hot fixes, start the ColdFusion server.

Critical vulnerabilities have been identified in ColdFusion v8.0.1 and earlier versions and JRun 4.0. An update for JRun resolves a management console directory traversal vulnerability that could potentially lead to information disclosure (CVE-2009-1873). Also, an update for JRun resolves multiple management console cross-site scripting vulnerabilities that could potentially lead to code execution (CVE-2009-1874).

  1. Stop the JRun admin server.
  2. Take a backup of the jmc-app.ear in JRun4\servers\admin.
  3. Download CVE-2009-1873 and CVE-2009-1874 Hotfix for JRun 4.0 and extract jmc-app.ear. Copy the jmc-app.ear in to JRun4\servers\admin.
  4. Start the admin server.

Adobe recommends all users of JRun Updater 5 and earlier versions upgrade to the newest version JRun Updater 7, and apply the fix above.

An update for ColdFusion resolves multiple cross-site scripting vulnerabilities that could potentially lead to code execution (CVE-2009-1875).

An update for ColdFusion resolves a double-encoded null character vulnerability that could potentially lead to information disclosure (CVE-2009-1876). Only apply this update to ColdFusion installations that are configured with Apache

For customers who have already applied all the security fixes:

  1. Remove the following security-related jars: hf801-73122.jar, hf801-77218.jar, hf801-1875.jar, and hf801-1878.jar.
  2. Follow instructions to apply the cumulative hotfix 4.

 

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy