ColdFusion 9.0.1, ColdFusion 9, ColdFusion 8.0.1, and ColdFusion 8 are affected with the issue mentioned in the security bulletin APSB11-04. This TechNote provides fixes for the security issues along with the installation instructions.
Updated on March 7th 2011 : Adobe has received a few issues with the Security Hotfix released in Feb 2011. A list of issues are as follows:
1.Session is lost for an application accessed within same domain *.
2.Formatting problem for ResponseTime table on debug template.
3.A minor fix for CFIDE/wizards/common/_logintowizard.cfm
* A JVM property was added in case you want to completely switch off the fix for the Session Fixation issue ( Bug 86378) which prior to this security release changed Session behavior in some environments. Add the following JVM property -Dcoldfusion.session.protectfixation=false in the JVM Arguments for the Coldfusion Server.
Latest hotfixes containing the fixes for the above issues are updated in the technote. Instructions to apply the hotfix remain same. All the users should re-apply the hotfixes if they have applied it already.
Note: This hotfix contains security-specific hotfixes only.
Follow the instructions that apply to your version of ColdFusion. Don't apply these fixes to any beta or prerelease version of ColdFusion.
In the following procedures, {ColdFusion-Home} indicates the following:
- For Server installation: {ColdFusion-Home}
- For Multiserver installation: {JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
- For J2EE installation: {cfusion-ear-Home}/cfusion-war/
Note: CFIDE.zip and WEB-INF.zip included in the hotfix contains only part of the CFIDE and WEB-INF files. Do not rename present CFIDE or WEB-INF folders to create a backup as per the instructions.
-
Download and extract CF801.zip. All the files are extracted to cf801 directory.
-
Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf801-00001.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar, or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
-
Download and extract CF8.zip. All the files are extracted to cf8 directory.
-
Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf800-00001.jar, hf800-70523.jar, hf800-71471.jar, hf800-73122.jar, hf800-1875.jar, hf800-77218.jar, or hf800-1878.jar exist, delete them. Otherwise, ignore this step.
Note: Previous ColdFusion Security Hotfixes - Security bulletins and advisories page
If you installed the hotfix for ColdFusion 9 or ColdFusion 8 and then upgraded (to ColdFusion 9.0.1 or ColdFusion 8.0.1), ensure that you apply the security hotfix for the update.
Note - Legal Disclaimer