Pete Freitag Pete Freitag

ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only

Published on August 20, 2009
By Pete Freitag

There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.

Whether or not this hotfix is required on IIS has been a question posed by many. This was finally clarified in comment on Ben Forta's Blog, Adobe Engineer Asha states:

Hotfix CVE-2009-1876 is only if you are using Apache as webserver it is not required if you are using IIS.

Granted it would be nice to have a statement that clear in the Adobe Security Bulletin, regardless I would hold off on trying to install this hotfix if you are running IIS. I've heard reports of IIS getting screwed up.

I've heard other various reports about this hotfix not working properly on Mac OSX 64 bit (it tries to install the 32 bit connector, which won't work if you have 64 bit Apache).

The workaround to using the wsconfig command is to unzip the wsconfig.jar file, then look in connectors/apache/{your.os}/prebuilt/ (where {your.os} could be a folder named intel-macosx64 for example) and copy the proper .so file into your {cf.root}/lib/wsconfig/1 directory (make a backup of existing files first), then restart Apache. Credit for that via Andy Allen on Twitter.

coldfusion hotfix security apache iis

ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only was first published on August 20, 2009.

If you like reading about coldfusion, hotfix, security, apache, or iis then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

The weekly newsletter for the CFML Community


Pete, thanks for posting this and referencing it on Ben's blog.
by Phil Duba on 08/21/2009 at 12:14:15 PM UTC
I ran that hotfix on our dev server (anyone running them on prd without testing elsewhere first is crazy!)

Surprisingly it worked even though I was totally stumped by the readme file referencing only Apache. Thankfully I took the decision not to apply 1876 to the prd servers. While it's good to get security hotfixes I'm not impressed by Adobe's documentation or the duplicate .jar files. Just 10 minutes more effort on their part would have made all 7 hotfixes less confusing. I hope it hasn't deterred people from applying them.
by Gary F on 08/21/2009 at 4:50:50 PM UTC
I know this is an old post but I thought it was worth noting that the mod_jrun compiled from wsconfig.jar is a prett broken implementation. Apache will not support mod_gzip compression out of the box. You can correct it using my notes here:
by Brian G on 04/17/2012 at 2:11:03 AM UTC