Important security hot fix-related notes

This article lists all the important security hot fix-related notes for ColdFusion 9 and later, with their respective security hot fix number.


  1. This hot fix is applicable only for ColdFusion (9, 9.0.1 and 9.0.2) deployed on JRun. Follow the instructions in the security bulletin APSB13-19 to apply the fix.


  1. This hot fix disables RDS by default. To enable it, select the RDS Service flag.
    1. The RDS Service flag is an addition to the ColdFusion Administrator UI (to activate it, choose Administrator > Security > RDS).
    2. Since RDS is a development only service, it is not recommended to enable it on the production or public-facing servers. If RDS is enabled, enable password protection and set nonempty password.
    3. To Enable RDS, ensure that the RDSServlet related configurations are not commented in the web.xml file.
  2. This hot fix adds restrictions such that only .txt and .log files can be used to save output of a scheduled task or probe using the Administrator and Admin API. To allow more filename extensions, go to {ColdFusion-Home}/lib/neo-cron.xml, find txt,log, and replace it with the required extensions (example:html,txt).


  1. Named application scope is not available in servlet context by default. To roll back to previous behavior, add JVM flag -Dcoldfusion.allowappdatainservletcontext=true.


  1. To protect other configuration files from Jakarta virtual directory from access over the Internet, check the MIME type list for websites. Ensure that MIME Type entries for the following Filename Extensions are not present:
    • Properties
    • Log
  2. This security hot fix is applicable only when connector is configured with IIS.


  1. Adobe recommends adding getPageContext method in the SandBox to the list of disabled functions. However, it is not a requirement for the protection against DoS.


  1. This hot fix has a new setting in ColdFusion, Post Parameter Limit. This setting limits the number of parameters in a post request. The default value is 100. If a post request contains more parameters as specified, the server doesn't process the request and throws an exception. This process protects against DoS attack using Hash Collision. This setting is different from Post Size Limit (ColdFusion Administrator > Settings > Maximum size of post data). This setting is not exposed in the ColdFusion Administrator console. But you can easily change this limit in the neo-runtime.xml file. See point 2 below.
  2. To change postParameterLimit, go to {ColdFusion-Home}/lib for Server Installation or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver or J2EE installation. Open file neo-runtime.xml, after line.
"<var name='postSizeLimit'><number>100.0</number></var>"

Add the line below and you can change 100 with the desired number.

"<var name='postParametersLimit'><number>100.0</number></var>"


  1. With this hot fix, ColdFusion doesn't autogenerate "action" for CFFORM tag for security considerations. Adobe recommends that developers always specify action for CFFORM. To roll back to previous behavior, you can add "-Dcoldfusion.generateformaction=true" in JVM arguments. Adding it could mean that the server is prone to the security vulnerabilities handled in this hot fix.


  1. CSRF protection requires that SessionManagement is enabled. If Session Variables are disabled from ColdFusion Administrator console, CSRF protection is disabled.
  2. If ColdFusion throws an exception " /logs/esapiconfig.log" after applying this hot fix, go to /lib/ and update absolute path for esapiconfig.log.


  1. Add the following JVM property "-Dcoldfusion.session.protectfixation=false" in the JVM arguments for the ColdFusion server to switch off the fix for the Session Fixation issue.

Bei Ihrem Konto anmelden