Pete Freitag Pete Freitag

ColdFusion Security Hotfixes Released

Published on August 18, 2009
By Pete Freitag
coldfusion

Adobe posted several critical security hotfixes for ColdFusion and JRun yesterday in Security Bulletin APSB09-12 (link no longer works: http://www.adobe.com/support/security/bulletins/apsb09-12.html).

I discovered one of the XSS vulnerabilities, and I will post details about it soon. In the mean time, please patch your servers.



security vulnerability coldfusion hotfix

ColdFusion Security Hotfixes Released was first published on August 18, 2009.

If you like reading about security, vulnerability, coldfusion, or hotfix then you might also like:

Fixinator

The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.


Try Fixinator

CFBreak
The weekly newsletter for the CFML Community


Comments

Thanks for the heads up. Ouch, so many fixes in one go makes it a bit of a nightmare (testing then applying to all servers).

Hotfix 1873 is supposed to stop the viewing of any file on the server. e.g. http://[server]/server/[profile]/logging/logviewer.jsp?logfile=../../../../../../../boot.ini

But a regular CF install doesn't include a file called logviewer.jsp. It also refers to a "runtime" directory but CF does't have one. Surely then this hotfix isn't necessary for CF installs, perhaps only users of a standalone JRun install?

Hotfix 1876 does scary stuff in a cmd prompt with the Connector Upgrade. The readme only mentions the Apache web server so does that mean IIS users don't need to run it? I tried it on a test box with IIS and it ran okay. I'd love to know if this has been tested on a clustered IIS environment as it can takes ages to get a cluster running smoothly. (Pete, I know you probably don't have the answers, just saying though.)

Any idea which of the 7 hotfixes are the most relevant and critical to CF please? Adobe don't give any details away.
by Gary F on 08/18/2009 at 4:34:44 PM UTC
Hi Gary,

Those are all excellent questions, I will interject what I can but hopefully we can get some more info from Adobe.

The hotfixes: CVE-2009-1872, CVE-2009-1877, CVE-2009-1875, and CVE-2009-1878 should apply to all ColdFusion customers.

The hotfix CVE-2009-1876 may only apply to Apache, but that should be clarified by Adobe.

The hotfix for CVE-2009-1873 and CVE-2009-1874 should apply to ColdFusion customers that have installed ColdFusion in multiserver mode (aka J2EE install) with JRun. So if you are using Standard edition you shouldn't have to worry about that one.

I hope that helps clarify things a bit.
by Pete Freitag on 08/18/2009 at 6:12:38 PM UTC
Thanks Pete. I'm running multi instance mode. Still not certain about doing 1876. If there was more tech info about the security issue I would test to see if my installs are vulnerable and if there's another way to fix. e.g. at the firewall level.
by Gary F on 08/18/2009 at 6:41:37 PM UTC
CF8 on Windows XP with IIS 5.0:
CVE-2009-1872 and CVE-2009-1877 worked fine.

CVE-2009-1875 worked fine.

CVE-2009-1876 broke CF twice - must only apply to Apache or later versions of IIS.

CVE-2009-1878 installs, but the CF Admin does not register it. This seems to back up other reports that the guts of 1878 is actually 1875.

Can anyone confirm the issues with
CVE-2009-1878 as well as the wsconfig.jar upgrade for IIS please?
by Dave Hannum on 08/19/2009 at 8:42:50 AM UTC
"CVE-2009-1878 installs, but the CF Admin does not register it. This seems to back up other reports that the guts of 1878 is actually 1875.

Can anyone confirm the issues with CVE-2009-1878 as well as the wsconfig.jar upgrade for IIS please?"

I have the same problem.
by Mark Hoffman on 08/19/2009 at 9:31:07 AM UTC
Guys, According to an Adobe Engineer the 1876 hotfix is for Apache Only, it is not required for IIS.

I've posted some additional comments about that hotfix here: http://www.petefreitag.com/item/712.cfm
by Pete Freitag on 08/20/2009 at 9:11:12 AM UTC
@Andrew if you are running standalone then you should not have to install 1873 or 1874, they are both for the JRun management console web application which typically runs on port 8000. You would not have that installed if you are running standard.
by Pete Freitag on 10/21/2009 at 6:50:30 AM UTC