ColdFusion 10 update 4 is now available
Administrator | Adobe ColdFusion | Adobe ColdFusion 10 | Announcements | ColdFusion | productivity | Rapid Application Development | web application development | web programming
The ColdFusion 10 Update 4 is now available for install within your administrator. It includes several important bug fixes. ColdFusion 10 Update 4 is a cumulative update. It includes all the bug fixes from previous updates of ColdFusion 10. All the issues reported in Update 3 have been resolved in this update.
The details of the update is available here.
99 comments so far ↓
How can we confirm we are using the updated connector? I removed and added the connector but it would be nice if there was a way to confirm everything is correct.
Thanks.
Jeremy
I can't fault them for not working on an unsupported configuration. At least there are workarounds.
Fortunately, the note in the updater interface (in the admin) for updater 4 does mention it ("IMPORTANT: After applying the update, reconfigure the connectors using wsconfig tool. It is in {cf_install_home}/cfusion/runtime/bin")
But some people may miss that who might see it if it was listed in this technote.
Hope you can get someone to tweak that technote to add that. (You may want to mention there also that users on Windows 2008 or 7 might need also to "run as administrator" when doing that.)
Cheers.
http://adamcameroncoldfusion.blogspot.co.uk/2012/11/oh-ffs-updater-4-hosed-my-apache-config.html
This is unavoidable, but something to be aware of. I am a bit pissed-off with WSConfig though.
--
Adam
Instead of unconfig/re-config, can we use wsconfig's '-upgrade' option?
http://help.adobe.com/en_US/ColdFusion/10.0/Admin/WSc3ff6d0ea77859461172e0811cbf364104-7fd9.html
Will that be fine? B/c the -upgrade option upgrades the modules while preserving the settings files (uriworkermap.properties, IIS's applicationHost.config, etc).
Just wondering why we're being told to actually unconfig/re-config instead of -upgrade.
Thanks,
-Aaron
It's fair enough I guess that the WSConfig stuff is a separate step currently, but is there any reason why this bit cannot be automated as part of the upgrade process? That said... if you do that you also gotta back-up the files you update properly too ;-)
Cheers.
--
Adam
I've already ran the wsconfig "-upgrade" that Aaron mentioned - do I have anything to worry about? (ie. How can I confirm for sure the update installed properly?)
Looks like there should have been errors while installing.
Can you please tell me the full name of the log files that are there under <CF_Home>/cfusion/hf-updates/hf-10-00004/
so that I can know the cause of the problem.
Also can you please open the log file and check if there is any error?
Thanks,
Krishna
Here's what it says under Install ColdFusion 10 Update 4
After applying the update, reconfigure the connectors using wsconfig tool. It is n{cf_install_home}/cfusion/runtime/bin.
--
Adam
The service is unavailable.
Service Temporary Unavailable!
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Jakarta/ISAPI/isapi_redirector/1.2.32 ()
Adobe_ColdFusion_10_Update_4_Install_11_04_2012_19_19_05.log
The error in the log file was:
"Failed to copy hotfix files: C:\Users\cfruntimeuser\870868.tmp\dist\cfusion
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location: {cf_install_home}\cfusion
FATAL ERROR - {cf_install_home}\cfusion\bin\coldfusionsvc.exe
(The process cannot access the file because it is being used by another process)"
| Error occurred while installing the update: Failed Signature verification
I also checked the log and found the following:
| 19791 Nov 5, 2012 11:26:20 AM Error [cfthread-1] - File is not signed by a trusted provider.
| 19792 Nov 5, 2012 11:26:20 AM Error [cfthread-1] - Error While Downloading File From http://download.adobe.com/pub/adobe/coldfusion/hotfix_004.jar at D:\cfusion\hf-updates - Failed Signature verification
| 19793 Nov 5, 2012 11:26:20 AM Information [ajp-bio-8012-exec-4] - Failed Signature verification
Everyone is saying the fix is to install the mandatory update but we already did. I even tried to do it again and it says:
| This update is already installed
So what's next?
Help is very much appreciated.
Thanks, Tim
I would try re-installing the mandatory update since it seems like it did not take.
1. Remove all CF10 Connectors
2. Install CF9 and configure for all IIS websites during install.
3. Move over neo-cron.xml and neo-database.xml from CF10 to CF9 directory.
4. Restart CF9 Service
My intention was to leave CF10 installed but just turn off the services, in case I want to switch in the future or just uninstall it later on. Will this process work? Any better suggestions?
Again, the issue that I saw may not actually affect everyone. For me, I had to do these steps:
1) Delete the Update 4 Prerelease jar from {cf_install_home}/{instance_name}/lib/updates.
2) Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-10-00004}/backup directory to {cf_install_home}/{instance_name}/
3) Delete the Update 3 jar (and I remember there being another file in there too) from {cf_install_home}/{instance_name}/lib/updates.
4) Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-10-00003}/backup directory to {cf_install_home}/{instance_name}/
Then I was able to install Update 4 Final via CF Admin.
I'll try a few install/uninstall scenarios to see if this is specific to users that had installed the "Prerelease" version of Update 4.
Thanks,
-Aaron
1. Create .car file in CF10 ("ColdFusion Archive" file containing CF Admin settings)
-- note: step #1 can *currently* only be done in Developer or Enterprise Edition (hopefully CF11 will support backing up CF Admin's settings in Standard Edition too - IMO, backups should ALWAYS be supported). If Standard Edition, then clear serial number from C:\ColdFusion10\cfusion\lib to convert back to Developer Edition.
2. Remove all CF10 Connectors
3. Install CF9 and configure for all IIS websites during install.
4. Deploy .car file into CF9
5. Restart CF9 Service
Steps to create a .car file: http://help.adobe.com/en_US/ColdFusion/10.0/Admin/WSc3ff6d0ea77859461172e0811cbf3638e6-7fc5.html
Thanks,
-Aaron
I've found something interesting while trying to apply updater 4 on my CF10 servers (RHEL6).
My servers are behind a firewall so I have to copy the jar onto the server and do the installation via the console.
The user I use to ssh onto the box has got sudo access, so when I run the installer all seems to go fine. After it completes the log file showed all the updates were successful, but when I logged into the CF Administrator the version number was still 10,0,0,2xxxxx.
Out of interest I tried doing the install as root (which I can't do in my acceptance and production environments) and the log file shows the same success messages, but the version is correctly updated to 10,0,4,283281.
Is there perhaps a file or directory that I might need to check permissions?
Cheers,
Simon
HTTP Error 500.0 - Internal Server Error
Calling LoadLibraryEx on ISAPI filter "D:\ColdFusion10\config\wsconfig\1\isapi_redirect.dll" failed
HTTP Error 500.0 - Internal Server Error
Calling LoadLibraryEx on ISAPI filter "D:\ColdFusion10\config\wsconfig\1\isapi_redirect.dll" failed
[ localhost:cfusion ] Internet Information Server (IIS) : All
Once you click the Remove button will get enabled.
We want to work with you to investigate this but we need your mail id to start the communication. I have asked you twice earlier in this thread to send a mail to me so that we can start the communication, but I have not received any mail from you so far. Even in the comment to this post, you have provided an invalid mail id. Could you please let us know your mail id OR send me a mail at rukumar *AT* adobe DOT com?
- Adobe ColdFusion team
Cheers,
Simon
Re-running the Update again should fix the issue for you.
Can you please re-install from Administrator and check and let me know.
@raZorTT,
Can you please check the Comment#14 and if there are errors in the log can you please re-run the installation.
Thanks,
Krishna
Before we released the Updater 4 to public, this fix is verified by many of the customers who reported 503 error in updater 3 and confirmed that issue is resolved.
Thanks
Kiran Sakhare
I've been working with Adobe the last few days to implement some additional changes after applying Update 4. Our system was lasting anywhere from 1-4 days before we'd be plagued with the 503. The verdict is still out as to whether these latest tuning settings completely fix the problem. As soon as I know whether they work or not I will be in contact with Adobe and will post the results here as well.
If that's the case, then why is it that the only public feedback I'm seeing is that of people who have installed the update and are indicating that they are continuing to experience service outages and 503 errors with update 4 applied? What sort of testing could have been performed that completely missed the fact that 503 errors are still being reported with this update installed?
Not to mention, if update 4 truly resolved the issues, then why is Matt working with Adobe over the span of many days to implement and test additional changes? This means that update 4 is NOT a successful release, and I won't go anywhere near it with my own clients until I can assure them that the update will resolve the problems they've been ravaged by for the past few weeks.
Still completely dissatisfied.
--
Adam
Considering the circumstances and the "black eye" from update 3, I can only partially agree. That said, there's simply no way that I'll proceed (nor will my client -allow- me to proceed) with update 4 after the embarrassing debacle and ultimate recall of update 3. That whole fiasco cost me and a client 2 full days of installation, testing, troubleshooting, hair pulling, and an ultimate contingency fall back to a pre-update VM snapshot nearly 48 hours later to ColdFusion 10 update 2. The only feedback I've heard anywhere in the ColdFusion community thus far about update 4 consists of complaints from numerous sources that the 503 service problems still persist. I've not been able to personally with even a -single- source that the update solved these problems for anyone. At this point, I don't consider Adobe's self-proclaimed "thumbs up" on this update a reliable indicator of its effectiveness.
Please... ANYBODY... just point me to ONE single client or person that was having 503 service errors resulting from bug 3222748, 3216317, 3318104, or 3300889 that has installed update 4, and maybe I can reconsider my position on this. Anyone? Anyone!?
We just finished scanning our site with Security Metrics and CF10 Update 4 and it survived without any issues whereas it crashed a horrible death last week when only Update 2 was installed so you can add me to the happy camper category.
In order to better serve the community and those who have been affected by similar scenarios, I plan to report back here with my final experience and findings. There's definitely a path to resolution ahead of me, I just never would have expected it to be so daunting and unnecessarily complex. Frankly, the whole experience has crushed a bit of my nearly fan-boy confidence in and support of Adobe as the flagship representative for ColdFusion. That's a pretty significant statement when you consider that I've been working with ColdFusion since version 0.9 beta back in mid 1995. Believe it or not, I probably still have an old ColdFusion 1.0 binary (anyone remember /cgi-bin/dbml.exe?template=/index.dbm ???) and accompanying application code sitting on a Zip Drive (another nostalgic reference) somewhere in a cabinet in my office.
As mentioned, I'll report back (likely next week) with my findings. Thanks to all those who have continued to interact with this thread. :)
Thanks,
-Aaron
After the release of update 4 I figured it sounded like Adobe had fixed the issues. I was wrong...
Upgrade on production went smoothly - but within half an hour the 503/unavailable errors started...
I attempted to revert to cf9 - but that was a disaster too - issues with web connectors and 403 issues.
Finally got it back up - with 2 hours downtime - outside of any maintenance window.
This really isn't on. I don’t know how this issue got past beta – let alone 4th update. When update 5 comes out – I’ll be waiting to hear others feedback before believing Adobe again...
Really disappointed!
Can those experiencing 503 Service Unavailable please check the site's application pool in IIS Manager and see if it became stopped?
Thanks,
-Aaron
Could those experiencing the 503 Service Unavailable see if it is typically the same app pools that are getting stopped?
If some app pools never get stopped, but some app pools "randomly" stop, then that may help us narrow down the issue.
It may not be the load, but rather some specific CFML which is causing the app pool to crash. If anyone has further clues it would help.
Thanks,
-Aaron
As I check in on the newly patched server this morning, I'm still seeing the same issues in the Event Viewer.
---[ SNIP ]---
Faulting application name: w3wp.exe, version: 7.5.7601.17514, time stamp: 0x4ce7afa2
Faulting module name: isapi_redirect.dll, version: 1.2.32.0, time stamp: 0x50850ee6
Exception code: 0xc0000005
Fault offset: 0x00000000000118c1
Faulting process id: 0x1d8
Faulting application start time: 0x01cdc1b69b53318f
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
Faulting module path: D:\ColdFusion10\config\wsconfig\2\isapi_redirect.dll
Report Id: 978633cb-2daa-11e2-9b05-0050568a6da8
---[ SNIP ]---
... and ...
---[ SNIP ]---
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: w3wp.exe
P2: 7.5.7601.17514
P3: 4ce7afa2
P4: isapi_redirect.dll
P5: 1.2.32.0
P6: 50850ee6
P7: c0000005
P8: 00000000000118c1
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_c7987f849945058256ab720f046114e117b593e_21c4f00e
Analysis symbol:
Rechecking for solution: 0
Report Id: 978633cb-2daa-11e2-9b05-0050568a6da8
Report Status: 4
---[ SNIP ]---
Now, I haven't specifically seen a server crash since the update last night, but I hadn't really seen a server crash in the past few days prior to the update either. Remember, I already disabled IIS 7.5's Rapid-Fail Protection that was causing the respective app pool to be killed if 5 of these faults were received within a 5 minute period. However, I have had a few server crashes prior to update 4 even with that Rapid-Fail Protection disabled. So with these faults continuing to amass in our Event Viewer (there are 614 of them already in just the past 10 hours), I highly expect that the server is at risk of similar 503 errors and/or crashes.
Side note: When I attempted to visit your site last night as I was posting, Aaron, I was getting a 503 service unavailable error message from your web host.
Requests for that URL are logged nowhere that I can find. Not in the IIS logs, CF logs, the ColdFusion10\cfusion\runtime\logs etc. (I only verified the 1:26 timestamp by looking at my browser's history log)
If the 503 issue mentioned in #45 is the same issue that you are seeing, then the following should stop the 503s:
1) Open ColdFusion10\config\wsconfig\1\uriworkermap.properties
2) Add /jakarta/* = cfusion
3) Save and then restart CF and the WWW service
Could you try that and see if the 503 errors stop?
Thanks,
-Aaron
Here's another thing to try:
1) Open ColdFusion10\config\wsconfig\1\isapi_redirect.properties
2) Change log_level= info to log_level= debug
3) Restart CF & WWW services
4) Immediately after seeing a 503 in Event Viewer, undo #2 (change debug to info and restart CF & WWW). B/c isapi_redirect.log will be growing rapidly in debug mode.
5) CTRL+F the ColdFusion10\config\wsconfig\1\isapi_redirect.log for "is not a servlet url" and then "Attempting to map URI" to see if you can find any URIs that failed to resolve and that you find suspicious.
Just a thought. But that's the only thing I could think of ATM to get more verbose logging of what's going on.
If it helps, I can attach a script which you can schedule to run via cfschedule which will start any stopped IIS7+ application pools and then send you an email letting you know which app pools had been stopped and which ones it had started. Then you can re-enable Rapid-Fail and just be notified upon each failure so that you can investigate.
Thanks,
-Aaron
C:\Windows\System32\inetsrv\appcmd set config /section:applicationPools /applicationPoolDefaults.recycling.logEventOnRecycle:"Time, Requests, Schedule, Memory, IsapiUnhealthy, OnDemand, ConfigChange, PrivateMemory"
To undo that, just run:
C:\Windows\System32\inetsrv\appcmd set config /section:applicationPools /-applicationPoolDefaults.recycling
Thanks,
-Aaron
Thanks for the feedback,
Hemant
Failed to copy hotfix files:/tmp/808645.tmp/dist/cfusion
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:/Applications/ColdFusion10/cfusion
FATAL ERROR - /Applications/ColdFusion10/cfusion/bin/cfcompile.bat (Permission denied)
I'm unable to view comment #45, so I can't tell you whether it's related to the problems we're having or not.
I'm not personally observing 503 errors on my client's server. My only indication that anything is going wrong are the entries in the Event Viewer.
But at this point, I'm a bit leery of poking around and starting to make configuration changes on the client's production server without a clear understanding of the nature and impact of the changes. Specifically, I'm not certain why I would want to add "/jakarta/* = cfusion" to the uriworkermap.properties file. Presently if I attempt to access anything within the /jakarta/ virtual directory, I get a 403 Forbidden error from IIS - which is perfectly fine with me. If you can explain to me the justification for making this change and how it potentially affects my particular issue, I'd be able to consider it further.
In order to put the server into connector "debug" mode instead of "information" mode, I'll need to wait until an off-peak time since it requires a service restart. Since this is non-invasive, I'll probably give this a shot and see what, if anything, I'm able to drudge up from the logs when these errors are taking place.
I'll return with more information as it's available.
Within the /2/ and /3/ folders I noticed that the isapi_redirect.dll had a different date modified(10/22/12) and file size even though both are version 1.2.32.0, but the /1/ folder still had the "old" file with date modified 3/29/12.
I then stumbled on the Update_all_connectors.bat file which "upgraded" the connector automatically for me
C:\ColdFusion10/cfusion\bin\connectors>Upgrade_all_connectors.bat
WARNING! This will upgrade ALL ColdFusion MX web server connectors.
Make sure ColdFusion MX Application Server and Microsoft IIS are not running before running the upgrade.
Press Control+C to abort.
Press any key to continue . . .
command line: -upgrade -v
Created file C:\ColdFusion10\config\wsconfig\cfwin32.dll
Created file C:\Users\CPOLIN~1\AppData\Local\Temp\1\\ExecuteAppCmd\ExecuteAppCmd.exe
Stopped "World Wide Web Publishing Service" service
Created file C:\ColdFusion10\config\wsconfig\1\isapi_redirect.dll
Started "World Wide Web Publishing Service" service
The Internet Information Server (IIS) connector was upgraded in All
C:\ColdFusion10\cfusion\bin\connectors>
I don't know if this process is correct since there aren't any instructions and I'm no Tomcat expert, but that is one place I'd look.
"old" isapi_redirect.dll - 388,608 bytes
"new" isapi_redirect.dll - 389,120 bytes
This is in regards to the steps you describe in comment #67 for fixing the vulnerability (previously) described in #45. Is this the official fix or is this considered a use at your own risk type of fix? I made the change on my development server and the vulnerability appears to have been closed. I just don't want to make the change on my production box if it could cause other issues. Thanks!
- If CF10 w/ no updates, then 3/29/2012
- If CF10 Update 1 or 2, then 8/9/2012
- If CF10 Update 4, then 10/22/2012
@Tyson, Apologies. I thought you were subscribed before #45 and had its email. Regarding the 403, is it specifically "403.14 - Directory listing denied"? If so, that does not resolve the issue in #45.
@Christian, Is the server in #56 & #75 the same? If so, based on the timestamps mentioned in #75, IIS was never configured for Update 2 and perhaps this is the cause of the Update 2 issue mentioned in #56. I experienced same issue with Remove not deleting the /1/ directory, and Add creating the /2/ directory. This was b/c I had one of /1/'s files open in notepad which was preventing the deletion of the /1/ directory. Once I closed the file, then Remove was able to delete /1/ and then Add recreated /1/.
@Matt, The steps I mentioned in #67 are not the official fix for #45. Until Adobe confirms it, then it's still technically 'use at your own risk'. I am using it b/c not using it allows anyone to stop the site's application pool if any of CF10's updates are installed and if IIS's Rapid-Fail is enabled (which is the default for IIS7, and I _believe_ IIS6 as well).
@All, Since comment #45 was deleted, I can't go into further detail about it. Also, I cannot take credit for the steps in #67 and also I cannot reveal where I learned of them from. Just suffice it to say that "IMO" those steps are necessary for: 1) closing a security hole, and 2) determining the cause of the 503 errors. While putting the connector into debug mode can help in determining the cause of the 503 errors, it does not close the security hole. Additionally, debug mode will cause the connector's log file to grow large fast and make it difficult to analyze.
The steps I mentioned in #67 will allow CF to throw a 404 (instead of the 503) which will be logged in the site's IIS log. Thus, when the Event Viewer shows a isapi_redirect.dll error, then we can look to the site's IIS log and see what URL was requested. There are possibly various causes of the 503 error. The 503 error that #67 addresses does not exist in CF10 with no updates. It only exists if Update 1 or higher has been installed. Seeing the logged request URLs should help reveal any patterns and specific causes of the 503 each is seeing.
@All, I would recommend corresponding with Adobe via email (as mentioned in #71) for troubleshooting the cause of the 503 error. I will contact Adobe regarding the difference I noticed between CF10 with no updates and CF10 w/ updates 1+ installed.
Thanks,
-Aaron
After uninstalling all updates, then installing the Mandatory Update, and then reconfiguring the connector, CF Admin always said 0 Updates Available. Repro:
1) Uninstall all updates
2) Install Mandatory Update
3) Reconfigure connector, restart CF, and CTRL+F5 the browser
4) CF Admin says 0 Updates Available and logs the following to update.log: "Not able to connect to Update Site: Variable VERSIONSTR is undefined."
5) Install Update 1 manually, then repeat #3 and see #4
6) Install Update 2 manually, then repeat #3 and see #4
7) Install Update 4 manually, then repeat #3 and see CF Admin says 0 Updates Available (understandable, since U4 is most recent update) and no error is logged in update.log (so perhaps Update4 has the VERSIONSTR fix, but Update1 and 2 do not).
Just an observation. It could cause confusion if user wants to just install Update 1 or Update 2.
Thanks,
-Aaron
Thanks,
-Aaron
Yes, the server in #56 & #75 is the same. Apparently I failed to reconfigure the connector with the wsconfig tool after Update 1 as per the instructions so your Date Last Modified timestamps for isapi_redirect.dll
are more accurate
Thanks for pointing out the differentiation between the update 2 connector and update 4 connector. Unfortunately, I was able to verify that the mod date and file size of my isapi_redirect.dll indicate that it is, in fact, the update 4 connector and we're still experiencing problems with it in place. I have plans this evening to take Aaron's advice on throwing the connector into "debug" mode until an error is encountered, and then dive into the logged information to determine the nature of our errors. Once I've done that, I'll report back here with more information.
You can get the installer at http://www.adobe.com/support/coldfusion/downloads_updates.html#cf9. That is 9.0.2 (for more on that, and differences from 9.0 and 9.0.1, see http://helpx.adobe.com/coldfusion/release-note/coldfusion-9-0-update-2.html).
Basically 9.0.2 is 9.0.1, minus Verity, plus all the hotfixes, cumulative hotfixes, and security hotfixes that were available for 9.0.1 at the time of 9.0.2's release in late May. It also throws in a couple of tiny features that were added in CF10. See the technote for details.
Note as well that the 9.0.2 installer is a full installer, not an updater (from 9.0 or 9.0.1.)
Those with a support agreement with Adobe can get 9.0 or 9.0.1, but it's not available publicly due to the expiration of the agreement with Verity, which required removal of all public links to releases containing it.
As for a CF10 license key working with 9, I do not believe that will work. They are different licenses. Someone from Adobe may chime in with more details.
My issue really isn't with the availability of an upgrade installer (or lack thereof), but more to do with being able to purchase a valid CF9 license key. As you said, hopefully someone from Adobe will have a solution for that.
If I somehow misunderstood, sorry. But maybe the info may help someone else, or another reader here may be able to pass it on to someone else if they see it asked elsewhere. Like others here, I'm just always trying to move the ball down the field. :-)
I will put you in touch with the team at Adobe who can help you with this.
So, I was able to do a little debugging and server monitoring this morning. I had thought about doing it last night, but we get off-peak traffic at that point, so I opted to wait until this morning (under our heaviest daily loads) to test.
As you recommended, I stopped IIS and ColdFusion, then modified the isapi_redirect.properties files to put the connector into "debug" mode. After that, I fired ColdFusion up, then IIS, and then waited a bit. As was expected, I could see the isapi_redirect.log file growing rapidly, so I knew the configuration change had taken place.
After a few minutes, I decided to try the "exploit" myself (as you did on your server). I typed in that URL into my web browser and, sure enough, got an error back from the server. I was simultaneously monitoring the Application Log via Event Viewer on the server in question. As my request failed, I watched as 7 sets of error/info messages were logged to the Event Viewer - all of the exact same nature I'd been seeing in the past. One error message followed by two information messages - but repeated 7 times, in this case, for some reason.
I then continued to wait in debug mode until another entry appeared in Event Viewer that wasn't deliberately triggered by me. 7 minutes later, it appeared. One error and two information entries - just as expected.
At that point, I stopped IIS, stopped ColdFusion, put the web connector back in "info" mode, started ColdFusion, and started IIS in order to prevent further rapid growth of the connector log. I archived the 10MB log and downloaded it to my machine for local inspection.
The catalyst event in the Event Viewer had a timestamp of 11/16/2012 08:21:16, so I scanned forward through the log looking for instances of "attempting to map uri" around that same time period. To my surprise and your prediction, I found a matching entry in the log at 11/16/2012 08:21:15.968 that matches the exploit that had been mentioned in comment #45 (remaining vague in order to avoid deletion of this VERY important comment).
So, as you suspected, something... somehow... somewhere... with some frequency... is attempting to access that URL directly and is causing the faults we've been seeing. I'm still left guessing as to why these requests are coming in.
But one odd thing I noticed is that frequency and spacing of some of these requests. After harvesting this log, I returned to the server to refresh the Event Viewer and found 4 additional faults in the Application Log after the first one I observed that prompted me to harvest the log and put the server back in "info" logging mode. What's odd about them is the time series of all 5 faults that occurred naturally (without my specific request of the URL).
Fault 1: 11/16/2012 08:21:16 AM
Fault 2: 11/16/2012 08:31:18 AM
Fault 3: 11/16/2012 08:41:20 AM
Fault 4: 11/16/2012 08:51:22 AM
Fault 5: 11/16/2012 09:01:24 AM
The faults are almost exactly 10 minutes apart from each other. There's absolutely NO WAY that's a mere coincidence. And that led me to believe one of two theories.
My first theory is that perhaps an outside source (rival, competitor, "script kiddie") may have setup a repeating scheduled job to hit this exploit URL on our server as a means of initiating a DOS incident. Then I thought to myself - if that were the case, said outside source would CERTAINLY need to be calling this URL more frequently. Even if we had IIS's Rapid-Fail Protection enabled (which we presently do not), the default trigger point for an app pool shutdown is 5 faults within 5 minutes. So, one fault request every 10 minutes wouldn't get the job done if a DOS attack were the goal.
Which leads me to my second theory.
These requests MUST be coming from something internal to ColdFusion. I ravaged through all the time/interval settings I could located within ColdFusion to see if anything is configured on a 10 minute interval, but I came up empty handed. Nevertheless, this doesn't eliminate some ColdFusion process as the culprit. It just means it's not a user-configurable option or interval.
At this point, I'm planning to make the suggested change and add "/jakarta/* = cfusion" to the uriworkermap.properties file. However, considering all I've gone through in hunting this down and all the pressure I've gotten from my client to produce some sort of explanation, I'd really like to find out what's initiating these requests.
Any ideas?
So, this has stopped the faults. But what's causing the requests every 10 minutes that were creating the faults in the first place!?
Still a little baffled.
http://blogs.coldfusion.com/post.cfm/coldfusion-10-update-5-security-update-now-available
Also, readers of this blog entry on updater 4 will also want to note the other new blog entry here created a couple of days ago, "Tuning ColdFusion 10 IIS Connector configuration":
http://blogs.coldfusion.com/post.cfm/tuning-coldfusion-10-iis-connector-configuration
http://blogs.coldfusion.com/post.cfm/coldfusion-10-support-on-windows-8-and-os-x-mountain-lion
I'm not saying you'll like the answer there (support is still some months away), of course. I'm just proposing that it would be better to offer any further discussion there, rather than here, especially for others interested in the matter who might be following that entry and its comments.
Could you help me please, I'm running a Windows Server 2003 SP2 and am trying to install CF10, and it just can not, and WILL not install, I've spent many hours so far and got nowhere. The Win 2k3 server is a hosted OS running under Hyper-V. The error I get once InstallAnywhere has got to 100% is: Windows error 216 occured while loading the Java VM
Any help much appreciated! :)
Why are we reinstalling the connector? I read on this blog [ http://www.cfdad.com/tag/coldfusion-10/ ] that it fixes a problem with CGI.
http://helpx.adobe.com/coldfusion/kb/coldfusion-10-update-4.html
The update has some connector fixes which is why you need to reconfigure the connector
Leave a Comment