Today, a priority 2 update is released, addressing an important vulnerability in ColdFusion 10 and earlier. It also addresses this for ColdFusion 8.0.1 and ColdFusion 8. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin

This hot-fix addresses resolves a vulnerability which could result in a Denial of Service (DoS) attack - CVE-2012-2048. You should update your sandboxes to add GetPageContext() method in disabled functions list.

For ColdFusion 10, use updater to get this update. This is update 2 and it contains previous update 1 for ColdFusion 10.

The details can be found at tech-note here.

Note: This is the last Security Hot-Fix for ColdFusion 8.0.1 & 8.

5 Comments to “Security Hot-Fix for ColdFusion - September 2012”

  1. Myka
    After we installed this update, our onError function started dumping an empty error struct.
    Message: [empty string]
    StaceTrace: java.lang.NullPointerException
    TagContext: Error - array[empty]
    Type: java.lang.NullPointerException

    What caused this and how can we fix it?
  2. Shilpi Khariwal
    hi Myka,

    Is it possible to share the stack trace? It will help us find the cause faster. You can send it to or paste here.
  3. Myka
    As I indicated above, the stack trace is just a java.lang.NullPointerException.
  4. Shilpi Khariwal
    which is really weird. is there nothing in logs as well? and if the answer to the above is true, Is it possible to share the piece of code which is part of onError() ?
  5. mint34
    We are running CF 8.0.1, and after we installed the patch the ColdFusion Administrator stopped working. The website continues to work properly. Did this happen to anyone else?
    How do I access the CF Admin with this new patch applied?

    Thank you.

Leave a Comment

Leave this field empty: