The following fixes are contained in ColdFusion 9.0.1 Cumulative Hotfix 1 (CHF1). Adobe recommends that you apply CHF1 to ColdFusion 9.0.1 only if you are experiencing one or more of the issues listed in the following table. This cumulative hotfix is specific to ColdFusion 9.0.1 and you don't have to apply it to any other releases. 

Bug ID Description Added in Cumulative Hot Fix
APSB10-18 Security Fix for the directory traversal vulnerability that could lead to information disclosure.  1
83598 Setting default locale to en_GB results in Invalid Date Format error when you run a scheduled task. 1
83638 serializeJSON converts integer to string. 1
83650 Submitting a form inside a cflayout type=”hbox|vbox” results in a JavaScript error. 1
83671 If named arguments with implicit structs and arrays use local variables, it results in ‘variable is undefined’ error. 1
83689 cfdump does not display the changes to the functions for a CFC object. 1
83694 cfgrid sorting does not function as desired for static and dynamic data except when the data is retrieved from the database. 1
83725 If you send mails with inline images, the source image is deleted. 1
83747 ColdFusion ORM preUpdate event handler is called  twice when a persistent entity is updated within a cftransaction.

Note: This issue has been fixed for one data source per request use-case.
83818 ColdFusion debugger can fail if the file being debugged is repeatedly revised. 1
83829 cfwindow onShow method is called twice. 1
83836 serializeJSON incorrectly serializes nested objects. Also, in the case of circular references, for example, when handling bidirectional ORM relationship, repeating entities are represented as empty strings instead of empty objects. 1

Install ColdFusion 9.0.1 Cumulative Hotfix 1 (CHF1)

The installation process is the same for all platforms and installation choices.

Definition of ColdFusion-Home

In the following procedures, {ColdFusion-Home} indicates the following:

  • For Server installation: {ColdFusion-Home}
  • For Multiserver installation: {JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
  • For J2EE installation: {cfusion-ear-Home}/cfusion-war/  
  1. Download and then extract chf9010001.jar,, and
  2. Open the ColdFusion 9.0.1 Administrator and then click the icon System Information in the upper-left corner.
  3. In the System Information page, click Browse Server (next to Update File) and then browse to the extracted file chf9010001.jar.
  4. Select the file and then click Apply.
  5. In the System Information page, click Submit Changes.
  6. Back up dump.cfm located in the directory {ColdFusion-Home}/wwwroot/WEB-INF/cftags (for Server installation) or {ColdFusion-Home}/WEB-INF/cftags (for Multi-server or J2EE Installation).
  7. Extract the file in the to the directory {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multi-server or J2EE Installation).
  8. Back up the files {CFIDE-Home}\administrator\scheduler\scheduletasks.cfm, {CFIDE-Home}\scripts\ajax\package\cfwindow.js files, {CFIDE-Home}\administrator\cftags\l10n.cfm, and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm.
  9. Extract the files in to the web root directory that consists of CFIDE folder.
  10. (For multiple ColdFusion instances) Repeat steps 3 - 9 for each instance.
  11. Restart all the ColdFusion instances.

Note: If the security fix mentioned in the bulletin APSB10-18 is already applied, you need not back up the files {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm. 

After installation, you can delete the ColdFusion 9.0.1 cumulative hot fix JAR file. The file has been copied to the correct location.

The ColdFusion 9.0.1 cumulative hotfix JAR file appears as a new entry in the System Information list.

Uninstall Cumulative Hotfix 1

You can uninstall ColdFusion hotfix JARs by stopping the ColdFusion application server and deleting the respective JARs from cf_root/lib/updates. You can then revert to the backed up CFM and JavaScript files. 


This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy