ColdFusion Security Hotfixes Released
Adobe posted several critical hotfixes for ColdFusion and JRun yesterday in Security Bulletin APSB09-12.
I discovered one of the XSS vulnerabilities, and I will post details about it soon. In the mean time, please patch your servers.
Like this? Follow me ↯Tweet Follow @pfreitag
You might also like:
- Setup ColdFusion 9.0.1 Fully Patched - March 16, 2012
- HackMyCF Updated for APSB11-29 Security Hotfix - December 15, 2011
- Recent ColdFusion Security Hotfix Updated Today - March 7, 2011
- Path Traversal Vulnerability Security Hotfix for ColdFusion Released - August 12, 2010
- ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only - August 20, 2009
- Hotfix for CF8 FCKeditor Vulnerability Released - July 8, 2009
- ColdFusion 8 FCKeditor Vulnerability - July 3, 2009
- Fixinator and Foundeo Security Bundle - May 14, 2019
Thanks for the heads up. Ouch, so many fixes in one go makes it a bit of a nightmare (testing then applying to all servers). Hotfix 1873 is supposed to stop the viewing of any file on the server. e.g. http://[server]/server/[profile]/logging/logviewer.jsp?logfile=../../../../../../../boot.ini But a regular CF install doesn't include a file called logviewer.jsp. It also refers to a "runtime" directory but CF does't have one. Surely then this hotfix isn't necessary for CF installs, perhaps only users of a standalone JRun install? Hotfix 1876 does scary stuff in a cmd prompt with the Connector Upgrade. The readme only mentions the Apache web server so does that mean IIS users don't need to run it? I tried it on a test box with IIS and it ran okay. I'd love to know if this has been tested on a clustered IIS environment as it can takes ages to get a cluster running smoothly. (Pete, I know you probably don't have the answers, just saying though.) Any idea which of the 7 hotfixes are the most relevant and critical to CF please? Adobe don't give any details away.
Hi Gary, Those are all excellent questions, I will interject what I can but hopefully we can get some more info from Adobe. The hotfixes: CVE-2009-1872, CVE-2009-1877, CVE-2009-1875, and CVE-2009-1878 should apply to all ColdFusion customers. The hotfix CVE-2009-1876 may only apply to Apache, but that should be clarified by Adobe. The hotfix for CVE-2009-1873 and CVE-2009-1874 should apply to ColdFusion customers that have installed ColdFusion in multiserver mode (aka J2EE install) with JRun. So if you are using Standard edition you shouldn't have to worry about that one. I hope that helps clarify things a bit.
Thanks Pete. I'm running multi instance mode. Still not certain about doing 1876. If there was more tech info about the security issue I would test to see if my installs are vulnerable and if there's another way to fix. e.g. at the firewall level.
CF8 on Windows XP with IIS 5.0: CVE-2009-1872 and CVE-2009-1877 worked fine. CVE-2009-1875 worked fine. CVE-2009-1876 broke CF twice - must only apply to Apache or later versions of IIS. CVE-2009-1878 installs, but the CF Admin does not register it. This seems to back up other reports that the guts of 1878 is actually 1875. Can anyone confirm the issues with CVE-2009-1878 as well as the wsconfig.jar upgrade for IIS please?
"CVE-2009-1878 installs, but the CF Admin does not register it. This seems to back up other reports that the guts of 1878 is actually 1875. Can anyone confirm the issues with CVE-2009-1878 as well as the wsconfig.jar upgrade for IIS please?" I have the same problem.
Guys, According to an Adobe Engineer the 1876 hotfix is for Apache Only, it is not required for IIS. I've posted some additional comments about that hotfix here: http://www.petefreitag.com/item/712.cfm
@Andrew if you are running standalone then you should not have to install 1873 or 1874, they are both for the JRun management console web application which typically runs on port 8000. You would not have that installed if you are running standard.