ColdFusion Security Hotfixes Released
August 18, 2009
Adobe posted several critical hotfixes for ColdFusion and JRun yesterday in Security Bulletin APSB09-12.
I discovered one of the XSS vulnerabilities, and I will post details about it soon. In the mean time, please patch your servers.
Trackback Address: 711/E579E6E79D88EE4659E0CF484024BF6E
Thanks for the heads up. Ouch, so many fixes in one go makes it a bit of a nightmare (testing then applying to all servers).
Hotfix 1873 is supposed to stop the viewing of any file on the server. e.g. http://[server]/server/[profile]/logging/logviewer.jsp?logfile=../../../../../../../boot.ini
But a regular CF install doesn't include a file called logviewer.jsp. It also refers to a "runtime" directory but CF does't have one. Surely then this hotfix isn't necessary for CF installs, perhaps only users of a standalone JRun install?
Hotfix 1876 does scary stuff in a cmd prompt with the Connector Upgrade. The readme only mentions the Apache web server so does that mean IIS users don't need to run it? I tried it on a test box with IIS and it ran okay. I'd love to know if this has been tested on a clustered IIS environment as it can takes ages to get a cluster running smoothly. (Pete, I know you probably don't have the answers, just saying though.)
Any idea which of the 7 hotfixes are the most relevant and critical to CF please? Adobe don't give any details away.
Those are all excellent questions, I will interject what I can but hopefully we can get some more info from Adobe.
The hotfixes: CVE-2009-1872, CVE-2009-1877, CVE-2009-1875, and CVE-2009-1878 should apply to all ColdFusion customers.
The hotfix CVE-2009-1876 may only apply to Apache, but that should be clarified by Adobe.
The hotfix for CVE-2009-1873 and CVE-2009-1874 should apply to ColdFusion customers that have installed ColdFusion in multiserver mode (aka J2EE install) with JRun. So if you are using Standard edition you shouldn't have to worry about that one.
I hope that helps clarify things a bit.
Thanks Pete. I'm running multi instance mode. Still not certain about doing 1876. If there was more tech info about the security issue I would test to see if my installs are vulnerable and if there's another way to fix. e.g. at the firewall level.
@Pete thanks and nice work finding the xss vulnerabilities.
@gary I feel your pain trying to deploy this update. I've got 3 servers to do and all the seperate instruction text files and binaries to sort through is making this more of a headache than it should be.
UPDATE: just found a post via a tweet which lists all the update instructions and file links on one single printable page at: http://www.coldfusionsecurity.org/post.cfm/help-applying-coldfusion-hotfixes-for-vulnerability-apsb09-12
This should save some time but I'm still wondering why Adobe couldn't have done this themselves or bundled all these 'critical's into one zip or *gasp* an auto updater...I can dream can't I?
CF8 on Windows XP with IIS 5.0: CVE-2009-1872 and CVE-2009-1877 worked fine.
CVE-2009-1875 worked fine.
CVE-2009-1876 broke CF twice - must only apply to Apache or later versions of IIS.
CVE-2009-1878 installs, but the CF Admin does not register it. This seems to back up other reports that the guts of 1878 is actually 1875.
Can anyone confirm the issues with CVE-2009-1878 as well as the wsconfig.jar upgrade for IIS please?
"CVE-2009-1878 installs, but the CF Admin does not register it. This seems to back up other reports that the guts of 1878 is actually 1875.
Can anyone confirm the issues with CVE-2009-1878 as well as the wsconfig.jar upgrade for IIS please?"
I have the same problem.
Guys, According to an Adobe Engineer the 1876 hotfix is for Apache Only, it is not required for IIS.
I've posted some additional comments about that hotfix here: http://www.petefreitag.com/item/712.cfm
Sorry i got a silly question, hope you will bear with me. One of the above comments say 1873 and 1874 is only for J2EE.
I'm running a standalone on Windows, but there is also a JRun.exe process. Do the JRUN need patching or not, do I need to update the JRUN and apply these patches?
Thanks for your help!
@Andrew if you are running standalone then you should not have to install 1873 or 1874, they are both for the JRun management console web application which typically runs on port 8000. You would not have that installed if you are running standard.