ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only
There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.
Whether or not this hotfix is required on IIS has been a question posed by many. This was finally clarified in comment on Ben Forta's Blog, Adobe Engineer Asha states:
Hotfix CVE-2009-1876 is only if you are using Apache as webserver it is not required if you are using IIS.
Granted it would be nice to have a statement that clear in the Adobe Security Bulletin, regardless I would hold off on trying to install this hotfix if you are running IIS. I've heard reports of IIS getting screwed up.
I've heard other various reports about this hotfix not working properly on Mac OSX 64 bit (it tries to install the 32 bit connector, which won't work if you have 64 bit Apache).
The workaround to using the wsconfig command is to unzip the wsconfig.jar file, then look in connectors/apache/{your.os}/prebuilt/ (where {your.os} could be a folder named intel-macosx64 for example) and copy the proper .so file into your {cf.root}/lib/wsconfig/1 directory (make a backup of existing files first), then restart Apache. Credit for that via Andy Allen on Twitter.
add to del.icio.usRelated Entries
- ColdFusion Security Hotfixes Released - August 18, 2009
- ColdFusion 9 Performance Brief from Adobe - February 24, 2010
- Request Filtering in IIS 7 Howto - February 16, 2010
- Hands on ColdFusion Security Training - February 4, 2010
- ColdFusion 9 Solr Vulnerability - Are you at Risk? - January 29, 2010
Trackbacks
Trackback Address: 712/825357520563BB1C88F5BEE12283AA49
Comments
On 08/21/2009 at 12:14:15 PM EDT Phil Duba wrote:
1
Pete, thanks for posting this and referencing it on Ben's blog.
On 08/21/2009 at 4:50:50 PM EDT Gary F wrote:
2
I ran that hotfix on our dev server (anyone running them on prd without testing elsewhere first is crazy!)
Surprisingly it worked even though I was totally stumped by the readme file referencing only Apache. Thankfully I took the decision not to apply 1876 to the prd servers. While it's good to get security hotfixes I'm not impressed by Adobe's documentation or the duplicate .jar files. Just 10 minutes more effort on their part would have made all 7 hotfixes less confusing. I hope it hasn't deterred people from applying them.
Post a Comment
Recent Entries
- Cache Template in Request Setting Explained
- What Version of Java is ColdFusion Using?
- ColdFusion 9 Performance Brief from Adobe
- Request Filtering in IIS 7 Howto
- J2EE Session Cookies on ColdFusion / JRun
- Hands on ColdFusion Security Training
- ColdFusion 9 Solr Vulnerability - Are you at Risk?
- FCKEditor Year 2010 Bug for Firefox 3.6 with ColdFusion
Surprisingly it worked even though I was totally stumped by the readme file referencing only Apache. Thankfully I took the decision not to apply 1876 to the prd servers. While it's good to get security hotfixes I'm not impressed by Adobe's documentation or the duplicate .jar files. Just 10 minutes more effort on their part would have made all 7 hotfixes less confusing. I hope it hasn't deterred people from applying them.
