ColdFusion security update for version 9 and above

January 15, 2013 / Shilpi Khariwal 36 Comments

  Security | Adobe ColdFusion | Adobe ColdFusion 10 | web application | web application security

A security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2.

If you are on ColdFusion 10, you will see a new update 7 within the ColdFusion administrator for you to download and install.

Adobe recommends users update their product installation with this update. Here's a link to the related security bulletin.

ColdFusion security update for version 9 and above

36 comments so far ↓

  • 1 charlie arehart // Jan 15, 2013 at 11:36 AM
    Users of 9.0.2, beware before applying this update: the cf902.zip file listed there is supposed to have a web-inf.zip within it (as indicated in the instructions), and as is indeed there in the 90 and 901 zips.

    Adobe has been informed through other channels. In the meantime, it's not clear what would happen if you applied only the jar and CFIDE portions of the hotfix, without the WEB-INF portion, so it seems best to wait for an official reply here.

    To be clear, this problem with the hotfix files ONLY AFFECTS THOSE ON 9.0.2.

    Those on 10, 9.0.1, and 9.0 should absolutely proceed with the instructions here, for this vital security hotfix.
  • 2 Tyler Clendenin // Jan 15, 2013 at 11:41 AM
    When will Adobe be releasing a new update for CF9? It seems to me that it is well past time.
  • 3 charlie arehart // Jan 15, 2013 at 12:26 PM
    @Tyler, you may want to clarify what you mean. When you say "new update for CF9", I suppose you mean "a new updater for 9.0 and/or 9.0.1 which rolls all the hotfixes in", right?

    I just don't want anyone to read your comment as being related to mine above about the problem with this one hotfix (because there is only need for a "new hotfix file" for 9.0.2, not for 9.0 or 9.0.1.)

    But assuming you do mean what I refer to in the previous paragraph, I would note that Adobe did come out with "9.0.2" in May, which was in fact essentially a "new update for 9" (though it was a full installer, not an updater). It included all the hotfixes and security hotfixes for 9.0 and 9.0.1 as of then, though it also removed Verity (the main reason it came out).

    But to be clear for the benefit of some readers, discussion of a new installer for 9 is separate from the discussion of the hotfix above.

    As for new updaters, there's been a tendency for them to come out only very occasionally because they do require Adobe rebuilding and retesting such an updater for all the OS's and DB's they support, and in all their variations with different releases within each. Lots of permutations, so lots of work.
  • 4 MRC // Jan 15, 2013 at 12:27 PM
    I have CF10, but do not see any updates available in the administrator page. is there a URL were it can be downloaded from ? .. with instructions ?
  • 5 charlie arehart // Jan 15, 2013 at 12:33 PM
    @MRC, yes there is. Indeed, there is FAR more instruction about the CF10 hotfix mechanism, with that info and lots more, at a previous blog entry here: http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide
  • 6 Tyler Clendenin // Jan 15, 2013 at 12:33 PM
    @charlie yes, my question was separate from the issue you presented. There seems to be a great number of disperate fixes for CF9 but no good place to know where to start. For instance 9.0.2 being a full installer means that if I am running 9.0.1 then I have to apply any following updates manually?

    Really, this page http://www.adobe.com/support/coldfusion/downloads_updates.html , is entirely insufficient for me to determine the state of CF updates and for me to figure out what I need to apply vs. what I have already applied.
  • 7 David Epler // Jan 15, 2013 at 12:46 PM
    @Tyler are you looking for something more like this?
    https://github.com/dcepler/unofficial-updater2/blob/master/cf901-hotfix-matrix.pdf?raw=true

    It isn't updated yet to include APSB13-03. But to fully patch CF 9.0.1 you need to apply CHF2 first and then APSB13-03.
  • 8 charlie arehart // Jan 15, 2013 at 12:53 PM
    @tyler, yes, anyone on 9.0 or 9.0.1 does need to apply any updates that came out after it, manually. (And indeed, even those on 9.0.2 have to apply manually any that came out since May.)

    As for the page you point to, I would agree that it's not got any info on individual hotfixes, nor can it help you assess where you stand on them. It only lists installers and cumulative hotfixes (CHFs): it does not list individual hotfixes (those that come out between cumulatives) nor does it list security hotfixes.

    I would agree that a strong argument could be made that the page ought to at least more clearly link to pages that DO have that other info. Definitely room for improvement.
  • 9 MRC // Jan 15, 2013 at 1:00 PM
    I dont see a link to download the CF10 update, this URL http://www.adobe.com/support/coldfusion/downloads_updates.html still only has the Sept 27, 2012 update .. not todays update. does anyone have a URL handy ?
  • 10 charlie arehart // Jan 15, 2013 at 1:13 PM
    @MRC, did you see the link I shared in reply to your first comment? it is only on that page (the other Adobe blog entry) where you can find the URL you need to visit if you want to download the CF10 updates manually, rather than via the Admin interface. And I said it discusses a lot more, which you or others in that situation will reasonably ask.

    For those who might say, "just give me the URL for the hotfixes. I don't want to read the blog entry", it's http://download.adobe.com/pub/adobe/coldfusion/xml/updates.xml.

    Finally, as for the "sep 27" update you refer to on the downloads_updates page, that is ONLY the "mandatory update", which itself needs/needed to be applied by all CF10 users before they could have used the CF10 update mechanism (even within the CF Admin) due to an issue with the Adobe certificate (for all adobe software) that happened just after CF10 came out.

    As always, just trying to help.
  • 11 MRC // Jan 15, 2013 at 1:32 PM
    yes, I saw the page you posted .. it did not have a direct link to the hot fix 7 update, digging thru the XML code reveals that the link to use in/via your browser is http://download.adobe.com/pub/adobe/coldfusion/hotfix_007.jar to download the JAR file.
  • 12 Tyler Clendenin // Jan 15, 2013 at 2:07 PM
    @david yes, something like that (but official) would be pretty ideal.
  • 13 charlie arehart // Jan 15, 2013 at 2:09 PM
    Um, @MRC, that blog entry "did not have a direct link to the hot fix 7 update" because it was written months ago. I said above that the entry was "where you can find the URL you need to visit if you want to download the CF10 updates manually, rather than via the Admin interface".

    Please don't misunderstand me: I appreciate that for whatever reason you couldn't see the update and needed a solution. That blog entry is that solution, and for FAR MORE than just providing a link to download the updates manually. As I noted (and I'm repeating this for others in your boat), it offers a LOT MORE information that you will reasonably ask/need if you are going to have to download and/or apply the update manually. Really was trying to help.
  • 14 Shilpi Khariwal // Jan 15, 2013 at 7:59 PM
    Hi All,

    There is a mistake in instructions for ColdFusion 9.0.2. The correct set of instructions are as follows -


    ColdFusion 9.0.2

    1. Download CF902.zip and CFIDE-902.zip. Extract both zip files.

    2.In ColdFusion Administrator, select System Information page by clicking the icon "i" in the upper-right corner.

    3. In the "Update File" text box, browse and select hf902-00003.jar located under CF902/lib/updates.

    4. Click Submit Changes.

    5. Stop the ColdFusion instance.

    6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf902-00001.jar, hf902-00002.jar exist, delete it. Otherwise, ignore this step.

    7. Go to {CFIDE-HOME} and take a backup of CFIDE folder.

    8. Extract all the files in CFIDE-902.zip to merge in the web root directory that has {CFIDE-HOME} folder.

    9. Start the ColdFusion Instance.

    10. If there are multiple instances, repeat steps 2 through 9 for each instance.

    These instructions are also updated on technote.

    Thanks & Regards,
    Adobe ColdFusion Team
  • 15 charlie arehart // Jan 15, 2013 at 9:54 PM
    Thanks so much for the clarification, Shilpi. Now all can proceed, as they rightly should, to apply the update! :-)

    In case it may help anyone, I'll note that I have a new "part 3" to the series of blog entries I'd been doing on this recent threat. In it, I share some more info on questions some may have (and have had) on the new hotfix:

    http://www.carehart.org/blog/client/index.cfm/2013/1/15/Part3_serious_security_threat
  • 16 josh // Jan 15, 2013 at 11:19 PM
    The technote says that after the hotfix, there is an extra administrator option to disable rds: 'Administrator > Security > RDS'

    I do not see this option. Is this option only available when you installed RDS when installing CF? Or must this option be available nonetheless
  • 17 Shilpi Khariwal // Jan 15, 2013 at 11:25 PM
    This option should be available even if RDS is disabled. You are trying which CF version?
  • 18 Michael Charbonneau // Jan 16, 2013 at 8:03 AM
    I have CF10 and the administrators server update page shows no update available and that no updates are even installed .. which is odd because we have installed the CF10 manditory update. the server version in the settings panel reads ColdFusion 10,283111 .. any suggestions on how to fix this ?
  • 19 charlie arehart // Jan 16, 2013 at 8:44 AM
    @josh, I'll note that I am on CF 9.0.2 and after applying this hotfix I do now see the new "enable RDS" feature in the Admin. (For those who didn't know, it was a feature already available in CF10, but it's added to 9/901/902 by way of this update.)

    I can propose a couple of reasonable explanations that you are not seeing it (which I grant, neither may be your issue). The challenges have to do with the process of applying the update, which involved extracting files for the CFIDE folder.

    It could either be that you extracted it into a location that is NOT where your CF Admin is looking (for its use of the CFIDE folder). Or it could be that you have only one location, and put it in the right place, but when you extracted it, the unzip tool inadvertently placed a new CFIDE folder WITHIN the one you told it to update. I see both problems all the time in my CF server troubleshooting consulting.

    Rather than elaborate the details, if those cues don't suffice, I would point you (and interested readers) to a blog entry I did on this: http://www.carehart.org/blog/client/index.cfm/2011/10/21/why_chfs_may_break

    Let us know if that or the above help, or not.
  • 20 charlie arehart // Jan 16, 2013 at 8:51 AM
    @Michael, that's not as unusual as you'd expect. And in fact, it's addressed as one of the 50 FAQs in the Adobe team blog entry on the CF10 updater, which I referred to above for another question. It's at http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide. See specifically the question, "When I clicked on "Check for Updates" Button no Updates are shown and it says that No updates were found why?"

    It also points out the fix-specific logs available which you could check, which may give additional diagnostic information.

    Let us know if that helps.
  • 21 Phil Cruz // Jan 16, 2013 at 11:19 AM
    For previous updates to CF10, it was necessary to reconfigure the IIS connectors. I read the installation technote for update 7 and it doesn't mention that. Can anyone confirm you need to reconfigure the connectors or do you simply need to run the updater from CF admin? Thanks.
  • 22 Ryan // Jan 16, 2013 at 2:45 PM
    Does the latest security fix include all previous ones? I see that David Epler says '... to fully patch CF 9.0.1 you need to apply CHF2 first and then APSB13-03.'

    Can i just get a confirmation on that? I thought in the past we had to do one update after another on CF 9.
  • 23 Peter Tilbrook // Jan 16, 2013 at 3:25 PM
    Ryan,

    The patches are cumalative. Install this current patch and it includes all fixes previously released.
  • 24 Toine // Jan 17, 2013 at 1:22 AM
    @josh @charlie, We have the same problem here. After applying update 7 our version became 10,0,7,283649 what seems to be fine, but there is no extra administrator option to disable RDS ('Administrator > Security > RDS')
  • 25 Seybsen // Jan 17, 2013 at 7:00 AM
    After installing this hotfix we are experiencing problems with cflogin and sessions. I can't really figure out how to reproduce this problem but the browsers are sending multiple cookies named CFID/CFTOKEN and since reading them seems to be a problem for CF a new session is created on every request. Clearing cookies in the browser solves the issue. It occured in latest Chrome and IE8 so far.
  • 26 Shilpi Khariwal // Jan 17, 2013 at 8:02 AM
    Hi All, for ColdFusion 10, there was already ab option to enable/disable RDS from administrator console (Administrator > Security > RDS). For ColdFusion 9.0.X this option is added new.
  • 27 Josh // Jan 17, 2013 at 8:16 AM
    @shilpi: we are on cf 10 and have never had this option. The only options we have under 'security' are 'resource security' and 'change password'.
    Are you sure everybody, always, should have this option? Or does it depend on the options you choose while installing?
  • 28 Shilpi Khariwal // Jan 17, 2013 at 9:33 AM
    Hi Josh,

    the mentioned options are available for Root admin user only. Are you logging in from root user or another user?

    Shilpi
  • 29 Josh // Jan 17, 2013 at 11:55 PM
    @shilpi: ah! That explains things! I didn't know that there where differences in options for root users and extra users I created.
    Sorry for the inconvenience!
  • 30 Steve // Jan 18, 2013 at 9:21 AM
    ON CF 10 (update 5) my Updates page shows this at the top when attempting to update:


    ColdFusion 10 Update 7 - Continue installation
    ColdFusion 10 Update 6 - Continue installation
    Progress Information
    Progress Information
    Error
    Confirm overwrite
    Uninstall Confirmation

    Download does nothing.

    when I opened up the console log I'm getting:

    ReferenceError: ColdFusion is not defined
    ReferenceError: downloadService is not defined

    Any ideas? Everything else in Administrator seems to be working fine. It was installed using the CF 10 lockdown guide if that's any help.
  • 31 Doug // Jan 18, 2013 at 12:48 PM
    Is anyone having issues with the hotfix on 9.0.1? We've updated and now we are getting 500 errors on some forms - like the form data is not posting at all. It is not happening with all forms (or on all applications). Can't pin down what is happening yet - just wanted to see if anyone else was experiencing any issues.
  • 32 David Epler // Jan 18, 2013 at 1:16 PM
    @Doug,

    There was a change made in APSB12-06 that put a limit on the number of form post fields that ColdFusion could process. And since the security hotfixes are cumulative it is included in APSB13-03. You can either see the note in:
    http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix.html

    Or a better writeup is here:
    http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms

    @Adobe, APSB13-03 really should include all the other notes that are on previous security hotfixes otherwise others that have not stayed up to date with them will miss the information.
  • 33 Peter Tilbrook // Jan 18, 2013 at 1:20 PM
    Dough there was a change. If you have BIG forms there is a arean in the CFAdmin that limits the size of form post data. I think the default was 200. You can increase that to say 300, 400. Might require a server restart. I think this was an Adobe effort at security but not sure for what. Just got my Win7/Win8 system setup so not sure where to look for the setting. FORM POST DATA LIMIT or something. Charlie???
  • 34 Peter Tilbrook // Jan 18, 2013 at 1:21 PM
    Doh! Doug! Sorry! Long week!
  • 35 Ryan // Jun 10, 2013 at 1:37 PM
    I am having some issues with the CF901 hotfix. I have applied the hotfix as noted at http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html.

    The first instance worked just fine and I can log back into CFAdmin. However, if I attempt to log in to CFAdmin on the other instance, I receive ColdFusion errors. One of them is 'Variable GETCSRFTOKEN is undefined'.

    Is there anything we need to take into account for multiple instances? Has anybody else applied a hotfix to a multi-instance ColdFusion server?
  • 36 Ryan // Jun 10, 2013 at 1:57 PM
    To answer my own question, restarting the server seemed to do the trick. I will reply if I notice any other issues.

Leave a Comment

Leave this field empty:

Blue Mango Theme Design By Mark Aplet

Super Powered by Mango Blog