Entries Tagged as “Adobe ColdFusion”
Adobe ColdFusion · Adobe ColdFusion 2016 · Announcements
As you are probably aware, we are in the planning stage for the next version of ColdFusion. You may have already seen a blog post asking you to submit your wishlist for the next version.
This post is about a survey that will give Adobe valuable information about your usage of ColdFusion. Please take a few minutes to take this survey and provide your feedback. The data from the survey will be used to validate a set of hypothesis about the usage of ColdFusion. This will eventually help us build a great next version of ColdFusion, codenamed Aether.
Thank you for your valuable time. Here is the survey link again.
Adobe ColdFusion · Adobe ColdFusion 10 · Adobe ColdFusion 11 · ColdFusion · ColdFusion 11
You may run into issues if you are using a non-administrator user account to install ColdFusion updates manually, or if an installation is attempted from the ColdFusion administrator console when ColdFusion service is running with a non-administrator account. In such cases, the update may not install successfully. and may complete with errors.
The Windows user account used by the ColdFusion service should have the privileges to start and stop the ColdFusion service. The updater needs to stop the ColdFusion service, so that it can replace the class files used by the service. After the update is installed, the updater starts up the ColdFusion service. Similarly if the updater packages any updates related to the other ColdFusion services, such as ColdFusion Add-On/Jetty service or ColdFusion .NET service or ColdFusion ODBC service, it would stop and start these services as well.
To avoid running into the issue above, one can take either of the following 2 approaches:
- Stop the ColdFusion service manually before running the updater jar. Restart the service, once the update is installed. This, of course, would need to be done every time you install an update; or
- Assign the ColdFusion user account the privileges to start/stop the service. This would be a one-time fix.
If you are using Windows 2003 server, XP you can follow this blog post, to assign start/stop privileges to the ColdFusion service user account. But, if you are on a later edition of Windows such as Windows 7 or Windows 2012 server, you can keep on reading.
Windows Service Controller command can be used to set permissions on a Windows service. We will be using the following 2 variants of the command :
SDSHOW : To display the permissions on a service.
syntax : sc [<ServerName>] sdshow <ServiceName> <ServiceSecurityDescriptor>
SDSET : To set the permissions on a service.
syntax : sc [<ServerName>] sdset <ServiceName> <ServiceSecurityDescriptor>
The security descriptors in the syntax above are represented by what is known as "Security Descriptor Definition Language" (SDDL). An SDDL descriptor has it's own syntax and formatting conventions which, at first, may seem a bit intimidating, and I might add, somewhat bland. But we will just dwell on the elementary details that are relevant to our purpose. If you want to get into the nuances of the Language you can check out the resources referenced at the end of this post.
Before modifying the permissions to a service , it would be a good idea to view the permissions first. To do that run the following command:
sc SDSHOW "ColdFusion 2016 Application Server"
You can find out the name of the service from the service properties in the Services window. The output should be something similar to the following :
I'll break down the output above into subsections and try to describe them.
The prefix D is for discretionary access control list (DACL) permissions. it identifies users or groups that are allowed or denied access to a secured object.
The prefix S is for system access control list (SACL) which controls how access is audited. It enables administrators to log attempts to access a secured object in security event logs. This section is not pertinent to our interest, and hence will not be discussed further.
Each segment enclosed by parentheses such as "(A;;CCLCSWRPWPDTLOCRRC;;;SY)", is an ACE or "Access Control Entry". It describes the permissions to a specific user or group.
The first letter in the ACE specifies the ACE type. 'A' here denotes "Allow". Similarly a 'D' would denote "Deny".
The next set of letters ("CCLCSWRPWPDTLOCRRC") denote the permissions. It is a combination of sets of 2 letters that specify the nature of permission. I'll list out the components below :
CC : SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration
DC : Delete All Child Objects
LC : SERVICE_QUERY_STATUS
SW : SERVICE_ENUMERATE_DEPENDENTS
RP : Read all properites
WP : Stop the service
DT : SERVICE_PAUSE_CONTINUE
LO : SERVICE_INTERROGATE
CR : SERVICE_USER_DEFINED_CONTROL
SD : Delete
RC : READ_CONTROL – read the security descriptor on this service.
WD : Modify permissions
WO : Modify owner
The last code in ACE denotes the trustee. Some of the values it can take are:
SY : Local system
BU : Built-in users
IU : Interactively logged-on user
BA : Built-in administrators
If the intent is to modify the permission for a specific user and not a group, then you should rather use the SID associated with that user account. Suppose the ColdFusion Application service is running with a non-administrator account called "cfuser". To get the security identifier (SID) for "cfuser" account, you can execute the following WMIC command :
wmic useraccount where name='cfuser' get sid
That should output something similar to the following:
To enable start/stop permission for "cfuser" on ColdFusion Application service, you can use the output generated in the SDSHOW command and append an ACE element for "cfuser" with the desired permission set, as follows :
SC SDSET "ColdFusion 2016 Application Server" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-464414946-3681088821-1826911322-1510)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
And, of course, you should run the command with administrator privileges.
If you are using other ColdFusion services, such as ColdFusion Add-on Services, ColdFusion .NET Service, ODBC Agent and ODBC server, you can follow the same steps as above to change permissions to them.
Adobe ColdFusion · CFBuilder · Updates
This update is a companion update to ColdFusion 2016 Update 1 and primarily addresses issues related to Security Code Analyzer and it's performance.
The issues fixed for this release are listed in this document.
This update is applicable for a standalone as well as a plugin installation of ColdFusion Builder. After applying this update, ColdFusion Builder build number should be 298831.
ColdFusion Builder has an automatic update notification that notifies the user of the updates availability.
Adobe ColdFusion · Adobe ColdFusion 10 · Adobe ColdFusion 11 · ColdFusion · ColdFusion 11 · Updates
This post is to announce the release of updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10.
These updates address a common vulnerability mentioned in security bulletin APSB 16-16, upgrade the Tomcat engine and contain other bug fixes.
ColdFusion 2016 Update 1
ColdFusion (2016 release) Update 1 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 8.0.32. This update includes several important bug fixes for security, core language features, server, and other areas.
For details, refer this technote.
ColdFusion 11 Update 8
ColdFusion 11 Update 8 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes several important bug fixes for security, language, AJAX, and other features.
For details, refer this technote,
ColdFusion 10 Update 19
ColdFusion 10 Update 19 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes important bug fixes for security and server
For details, refer this technote
Adobe ColdFusion · Announcements
The installers for ColdFusion (2016 release) and ColdFusion Builder (2016 release) have been refreshed. The only change between the old and new installers is the refresh of certain branding assets (no change in the underlying code).
The new build number for ColdFusion (2016 release) is 298074 (was 297996 earlier) and for ColdFusion Builder (2016 release) is 298077 (was 298004 earlier). Some, if not all, branding assets refresh will also be fixed as a part of the first update so that users on previous installation get the latest branding assets.