New security update is available for coldfusion versions 9.0, 9.0.1, 9.0.2 and 10.0. This hotfix addresses the security issues specified in the technote here. Here is the link to the security bulletin for this hotfix. It also includes few important bug fixes for coldfusion 10 as specified here.

We recommend locking down your server by following the lock down guide and disable unused features in the production environments. 

12 Comments to “New Security Update Available for ColdFusion 9.0, 9.0.1, 9.0.2 and 10”

  1. David Epler
    The instructions on the technote are incorrect for Section 2. The CF9.zip, CF901.zip and CF902.zip under section 2 *DO NOT* contain the CF9, CF901, and CF902 directories as listed (like previous ones APSB13-13). All three of the zips start with /lib inside the given zip.

    The Section 1 zips do contain the files with the CF9, CF901, or CF902 directory in the given zips.
  2. Pavankumar
    We will be updating it as soon as possible.

    Thanks.
  3. Josh
    Is it necessary to reconfigure/rebuild the connector for all sites, or is upgrading them (Upgrade_all_connectors.bat) enough?

    The problem with reconfigure them is that the CFIDE virtualfolder is created in all sites, and I must manually delete this folder for all my sites.
  4. Josh
    ps) this blog does not have a background colour set in the css. So if your browser is set to a default background colour other than white, that colour is displayed. It's better to change the background colour of the html/body to white I think.
  5. Pavankumar
    We have updated the packages CF9.zip, CF901.zip and CF902.zip under section 2

    @josh if you are on coldfusion version 10 update 11 you do not need to re-configure the connectors.
  6. Josh
    @Pavankumar: Thanks for your response! Maybe the technote can be specific about that.
    For future updates: is upgrading the connectors with Upgrade_all_connectors.bat always enough? Or does that depend on the update?
  7. Paul
    +1 for clearer connector instructions in update docs.

    When the update doc states, "reconfigure the connectors using wsconfig tool", I understood that to mean, remove and recreate the connector, as there is no option to reconfigure in the wsconfig tool. Having a couple dozen servers with custom config files, it's a pain to recreate them.

    I did take a snapshot of my test server and did the install twice, once recreating the connector and another with no changes to the connector. I have seen no difference, as @Pavankumar validated in saying " if you are on coldfusion version 10 update 11 you do not need to re-configure the connectors."
  8. Sumit Verma
    Good to know that we don't need to re-cofigure the connector. It will be great if the connector has option not to create CFIDE virtual folder as deleting them from all the sites is a pain.
  9. Brad Wood
    Can you comment on whether the critical fix was for a 0-day present in update 11 or not? There seems to be some conflicting information as per the last couple paragraphs of this article:

    http://krebsonsecurity.com/2013/11/zero-days-rule-novembers-patch-tuesday/
  10. Hemant Khandelwal
    Our official communication on reporting and finding details on security incidents is via Adobe product security. They can be reached on PSIRT(at)adobe(dot)com.
  11. Hemant Khandelwal
    This blog post has very detailed information on any CF10 hotfix. http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide

    For exmaple, if your server is behind firewall without access to internet, the above blog describes how to download and install the patch directly.
  12. Seybsen
    [...] If you get the following error when installing the update using the Download and Install option, ensure that the folder {cf_install_home}/{instance_name}/hf_updates has write permission [...]

    The correct path is {cf_install_home}/{instance_name}/hf-updates

Leave a Comment

Leave this field empty: