Security Hotfix | ColdFusion 8, 8.0.1, 9, 9.0.1

Adobe Community Help


Products Affected

 
 x

How are we doing?

1. Please rate your web experience

1 2 3 4 5
Hated it It was ok Loved it

2. Why did you choose this score?


By clicking Submit, you accept the Adobe Terms of Use.

Thank you for taking our survey. We value your feedback.

If you need help, we want to hear from you.

Get answers from experts 24/7.

Close

Issue

ColdFusion 9.0.1, ColdFusion 9, ColdFusion 8.0.1, and ColdFusion 8 are affected with the issue mentioned in the security bulletin APSB11-04. This TechNote provides fixes for the security issues along with the installation instructions. 

Updated on March 7th 2011 : Adobe has received a few issues with the Security Hotfix released in Feb 2011.  A list of issues are as follows:

1.Session is lost for an application accessed within same domain *.

2.Formatting problem for ResponseTime table on debug template.

3.A minor fix for CFIDE/wizards/common/_logintowizard.cfm

* A JVM property was added in case you want to completely switch off the fix for the Session Fixation issue ( Bug 86378) which prior to this security release changed Session behavior in some environments. Add the following JVM property -Dcoldfusion.session.protectfixation=false in the JVM Arguments for the Coldfusion Server.

Latest hotfixes containing the fixes for the above issues are updated in the technote. Instructions to apply the hotfix remain same. All the users should re-apply the hotfixes if they have applied it already.

Note: This hotfix contains security-specific hotfixes only. 

Solution

Follow the instructions that apply to your version of ColdFusion. Don't apply these fixes to any beta or prerelease version of ColdFusion.

Definition of ColdFusion-Home

In the following procedures, {ColdFusion-Home} indicates the following:

  • For Server installation: {ColdFusion-Home}
  • For Multiserver installation: {JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
  • For J2EE installation: {cfusion-ear-Home}/cfusion-war/

Note: CFIDE.zip and WEB-INF.zip included in the hotfix contains only part of the CFIDE and WEB-INF files. Do not rename present CFIDE or WEB-INF folders to create a backup as per the instructions.  

ColdFusion 9.0.1

  1. Download and extract CF901.zip. All the files are extracted to cf901 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File textbox, browse and select hf901-00001.jar located under CF901/lib/updates directory.
  4. Click Submit Changes.
  5. Stop ColdFusion instance.
  6. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  7. Go to cf901 directory and extract all files in CFIDE.zip to the web root directory that has {CFIDE-HOME} folder.
  8. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  9. Go to cf901 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  10. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory and make a backup of log4j.properties.
  11. Go to cf901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver and J2EE installations) directory.
  12. Start ColdFusion instance.
  13. If there are multiple instances, repeat steps 2 through12 for each of the instances. 

ColdFusion 9

  1.  Download and extract CF9.zip. All the files are extracted to cf9 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File textbox, browse and select hf900-00002.jar located under CF9/lib/updates directory.
  4. Click Submit Changes.
  5. Stop ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory and if hf900-00001.jar exists, delete it. Else, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Go to cf9 directory and extract all files in CFIDE.zip to the web root directory that has {CFIDE-HOME} folder.

  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to cf9 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory and make a backup of log4j.properties.
  12. Go to cf9/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
  13. Start ColdFusion instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each of the instances. 

ColdFusion 8.0.1

  1.  Download and extract CF801.zip. All the files are extracted to cf801 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File textbox, browse and select hf801-00002.jar located under CF801/lib/updates directory.
  4. Click Submit Changes.
  5. Stop ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf801-00001.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar, or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Go to cf801 directory and extract all files in CFIDE.zip to the web root directory that has {CFIDE-HOME} folder.

  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to cf801 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory and make a backup of log4j.properties.
  12. Go to cf801/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
  13. Start ColdFusion instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each of the instances. 

ColdFusion 8

  1. Download and extract CF8.zip. All the files are extracted to cf8 directory.
  2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
  3. In the Update File textbox, browse and select hf800-00002.jar located under CF8/lib/updates directory.
  4. Click Submit Changes.
  5. Stop ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf800-00001.jar, hf800-70523.jar, hf800-71471.jar, hf800-73122.jar, hf800-1875.jar, hf800-77218.jar, or hf800-1878.jar exist, delete them. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
  8. Go to cf8 directory and extract all files in CFIDE.zip to the web root directory that has {CFIDE-HOME} folder.

  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
  10. Go to cf8 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory and make a backup of log4j.properties.
  12. Go to cf8/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
  13. Start ColdFusion instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each of the instances.

Note: Previous ColdFusion Security Hotfixes - Security bulletins and advisories page

If you have upgraded after installing the hotfix

If you installed the hotfix for ColdFusion 9 or ColdFusion 8 and then upgraded (to ColdFusion 9.0.1 or ColdFusion 8.0.1), ensure that you apply the security hotfix for the update.

 Note - Legal Disclaimer 

Keywords: cpsid_89094

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy

Choose your region    Products   Downloads   Learn & Support   Company

Copyright © 2015 Adobe Systems Incorporated. All rights reserved.

Terms of Use | Privacy | Cookies