Security Hotfix | ColdFusion 8, 8.0.1, 9, 9.0.1

Search
ColdFusion User Guide

On this page

Applies to: ColdFusion

Issue

ColdFusion 9.0.1, ColdFusion 9, ColdFusion 8.0.1, and ColdFusion 8 are affected with the issue mentioned in the security bulletin APSB11-04. This TechNote provides fixes for the security issues along with the installation instructions. 

Updated on March 7th 2011 : Adobe has received a few issues with the Security Hotfix released in Feb 2011.  A list of issues are as follows:

1.Session is lost for an application accessed within same domain *.

2.Formatting problem for ResponseTime table on debug template.

3.A minor fix for CFIDE/wizards/common/_logintowizard.cfm

* A JVM property was added in case you want to completely switch off the fix for the Session Fixation issue ( Bug 86378) which prior to this security release changed Session behavior in some environments. Add the following JVM property -Dcoldfusion.session.protectfixation=false in the JVM Arguments for the Coldfusion Server.

Latest hotfixes containing the fixes for the above issues are updated in the technote. Instructions to apply the hotfix remain same. All the users should re-apply the hotfixes if they have applied it already.

Note: This hotfix contains security-specific hotfixes only. 

Solution

Follow the instructions that apply to your version of ColdFusion. Don't apply these fixes to any beta or prerelease version of ColdFusion.

Definition of ColdFusion-Home

In the following procedures, {ColdFusion-Home} indicates the following:

  • For Server installation: {ColdFusion-Home}
  • For Multiserver installation: {JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
  • For J2EE installation: {cfusion-ear-Home}/cfusion-war/

Note: CFIDE.zip and WEB-INF.zip included in the hotfix contains only part of the CFIDE and WEB-INF files. Do not rename present CFIDE or WEB-INF folders to create a backup as per the instructions.  

ColdFusion 9.0.1

  1. Download and extract CF901.zip. All the files are extracted to cf901 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File textbox, browse and select hf901-00001.jar located under CF901/lib/updates directory.
  4. Click Submit Changes.
  5. Stop ColdFusion instance.
  6. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  7. Go to cf901 directory and extract all files in CFIDE.zip to the web root directory that has {CFIDE-HOME} folder.
  8. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  9. Go to cf901 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  10. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory and make a backup of log4j.properties.
  11. Go to cf901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver and J2EE installations) directory.
  12. Start ColdFusion instance.
  13. If there are multiple instances, repeat steps 2 through12 for each of the instances. 

ColdFusion 9

  1.  Download and extract CF9.zip. All the files are extracted to cf9 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File textbox, browse and select hf900-00002.jar located under CF9/lib/updates directory.
  4. Click Submit Changes.
  5. Stop ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory and if hf900-00001.jar exists, delete it. Else, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Go to cf9 directory and extract all files in CFIDE.zip to the web root directory that has {CFIDE-HOME} folder.

  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to cf9 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory and make a backup of log4j.properties.
  12. Go to cf9/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
  13. Start ColdFusion instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each of the instances. 

ColdFusion 8.0.1

  1.  Download and extract CF801.zip. All the files are extracted to cf801 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File textbox, browse and select hf801-00002.jar located under CF801/lib/updates directory.
  4. Click Submit Changes.
  5. Stop ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf801-00001.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar, or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Go to cf801 directory and extract all files in CFIDE.zip to the web root directory that has {CFIDE-HOME} folder.

  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to cf801 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory and make a backup of log4j.properties.
  12. Go to cf801/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
  13. Start ColdFusion instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each of the instances. 

ColdFusion 8

  1. Download and extract CF8.zip. All the files are extracted to cf8 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File textbox, browse and select hf800-00002.jar located under CF8/lib/updates directory.
  4. Click Submit Changes.
  5. Stop ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf800-00001.jar, hf800-70523.jar, hf800-71471.jar, hf800-73122.jar, hf800-1875.jar, hf800-77218.jar, or hf800-1878.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Go to cf8 directory and extract all files in CFIDE.zip to the web root directory that has {CFIDE-HOME} folder.

  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to cf8 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory and make a backup of log4j.properties.
  12. Go to cf8/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
  13. Start ColdFusion instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each of the instances.

Note: Previous ColdFusion Security Hotfixes - Security bulletins and advisories page

If you have upgraded after installing the hotfix

If you installed the hotfix for ColdFusion 9 or ColdFusion 8 and then upgraded (to ColdFusion 9.0.1 or ColdFusion 8.0.1), ensure that you apply the security hotfix for the update.

 Note - Legal Disclaimer 

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy

Choose your region

Selecting a region changes the language and/or content on Adobe.com.

Americas
Brasil
Canada - English
Canada - Français
Latinoamérica
México
United States
Europe, Middle East and Africa
Africa - English
België
Belgique
Belgium - English
Česká republika
Cyprus - English
Danmark
Deutschland
Eastern Europe - English
Eesti
España
France
Greece - English
Ireland
Israel - English
Italia
Latvija
Lietuva
Luxembourg - Deutsch
Luxembourg - English
Luxembourg - Français
Magyarország
Malta - English
Middle East and North Africa - English
Nederland
Norge
Österreich
Polska
Portugal
România
Schweiz
Slovenija
Slovensko
Suisse
Suomi
Sverige
Svizzera
Türkiye
United Kingdom
България
Россия
Україна
الشرق الأوسط وشمال أفريقيا - اللغة العربية
ישראל - עברית
Asia - Pacific
Australia
Hong Kong S.A.R. of China
India - English
New Zealand
Southeast Asia (Includes Indonesia, Malaysia, Philippines, Singapore, Thailand, and Vietnam) - English
中国
中國香港特別行政區
台灣
日本
한국
Commonwealth of Independent States
Includes Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Ukraine, Uzbekistan