ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only

August 20, 2009
coldfusion

There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.

Whether or not this hotfix is required on IIS has been a question posed by many. This was finally clarified in comment on Ben Forta's Blog, Adobe Engineer Asha states:

Hotfix CVE-2009-1876 is only if you are using Apache as webserver it is not required if you are using IIS.

Granted it would be nice to have a statement that clear in the Adobe Security Bulletin, regardless I would hold off on trying to install this hotfix if you are running IIS. I've heard reports of IIS getting screwed up.

I've heard other various reports about this hotfix not working properly on Mac OSX 64 bit (it tries to install the 32 bit connector, which won't work if you have 64 bit Apache).

The workaround to using the wsconfig command is to unzip the wsconfig.jar file, then look in connectors/apache/{your.os}/prebuilt/ (where {your.os} could be a folder named intel-macosx64 for example) and copy the proper .so file into your {cf.root}/lib/wsconfig/1 directory (make a backup of existing files first), then restart Apache. Credit for that via Andy Allen on Twitter.


| Add Comment | add to del.icio.us | Tags: , , , ,

Related Entries

This entry was:

 Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 712/825357520563BB1C88F5BEE12283AA49

Comments

On 08/21/2009 at 2:14:15 PM EDT Phil Duba wrote:
1
Pete, thanks for posting this and referencing it on Ben's blog.

On 08/21/2009 at 6:50:50 PM EDT Gary F wrote:
2
I ran that hotfix on our dev server (anyone running them on prd without testing elsewhere first is crazy!)

Surprisingly it worked even though I was totally stumped by the readme file referencing only Apache. Thankfully I took the decision not to apply 1876 to the prd servers. While it's good to get security hotfixes I'm not impressed by Adobe's documentation or the duplicate .jar files. Just 10 minutes more effort on their part would have made all 7 hotfixes less confusing. I hope it hasn't deterred people from applying them.

On 04/17/2012 at 4:11:03 AM EDT Brian G wrote:
3
I know this is an old post but I thought it was worth noting that the mod_jrun compiled from wsconfig.jar is a prett broken implementation. Apache will not support mod_gzip compression out of the box. You can correct it using my notes here: http://www.ghidinelli.com/2007/11/09/make-mod_deflate-work-reliably-with-mod_jrun-and-coldfusion-mx

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?



Archives:
2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002