Java 1.6.0_24 Released Patches DOS Vulnerability

February 16, 2011
java

As mentioned last week, a pretty serious Denial Of Service vulnerability in the Java Virtual Machine was disclosed. It is important that you look into resolving this issue if you run any java based server side applications (including ColdFusion).

Yesterday Oracle released Java 1.6.0_24, which fixes the DOS issue. They also issued a patch last week that you can use if you don't want to upgrade your JVM. If you have the JVM set to auto update on Windows, installing the patch might break the auto update functionality, you should instead install the 1.6.0_24 release.

Update: Java Version 1.6.0_24 has been certified for use on ColdFusion 8.0 - 9.0.1, see KB Article. Download Link for Java 1.6.0_24

Update We have added a probe feature available to paid subscribers of HackMyCF which will alert you when you need to update your JVM.


| Add Comment | add to del.icio.us | Tags: ,

Related Entries

10 people found this page useful, what do you think?

Trackbacks

Trackback Address: 786/132601F8D13CDF719C63B54C797BC5C4

Comments

On 02/17/2011 at 5:21:02 PM EST Jose wrote:
1
Is this JVM compatible with CF 9 Enterprise? Even better, does Adobe publicize which JVMs are compatible with each version of CF? I'm concern that changing the JVM will break CF.

On 02/17/2011 at 5:38:24 PM EST Pete Freitag wrote:
2
@Jose - Adobe has not released a statement about this issue as it relates to ColdFusion.

Adobe does publish which jvm's are supported for ColdFusion 9 in the release notes support matrix: http://www.adobe.com/products/coldfusion/systemreqs/#supportmatrix Right now it lists 1.6_17 for Windows and Linux.

So that means that Adobe has certified ColdFusion 9 to run on that version of the JVM, and if you try and call tech support they will expect that you are running that version of the jvm. If you upgrade your JVM to a newer version that is not supported you may not get support.

If you do have a support contract you might want to contact Adobe and see what they have to say about it.

I personally have not found many problems when upgrading the JVM version to the latest, just be sure to test on a staging server first. It's not terribly difficult to roll back to a prior jvm version if you need to.

On 03/17/2011 at 11:12:47 PM EDT Marc wrote:
3
Adobe Coldfusion 8 and 9 now officially support JDK 1.6.0_24 according to http://kb2.adobe.com/cps/894/cpsid_89440.html and http://forta.com/blog/index.cfm/2011/3/15/ColdFusion-Now-Supporting-JDK-16024-To-Address-Oracle-Security-Alert

On 04/12/2011 at 5:43:45 PM EDT Doug wrote:
4
So I followed your link and... well I'm not sure what to download? I tried JRE but that just caused my CF service to fail on restart.

Which one does ColdFusion use? JDK? Java EE? The desktop version? Adobe's bulletin isn't much help either.

On 04/16/2011 at 2:00:37 PM EDT Mike Parnham wrote:
5
@Doug- check out http://kb2.adobe.com/cps/547/2d547983.html

They note there "ColdFusion requires the Java HotSpot Server virtual machine (jre/bin/server/jvm.dll), which is not available with the JRE download."

So you want to grab the JDK/SDK install- on this page: http://www.oracle.com/technetwork/java/javase/downloads/index.html Select the Download JDK button and you'll be good. (Worked well for me the other day)

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?



Archives:
2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002