ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only

August 20, 2009

There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.

Whether or not this hotfix is required on IIS has been a question posed by many. This was finally clarified in comment on Ben Forta's Blog, Adobe Engineer Asha states:

Hotfix CVE-2009-1876 is only if you are using Apache as webserver it is not required if you are using IIS.

Granted it would be nice to have a statement that clear in the Adobe Security Bulletin, regardless I would hold off on trying to install this hotfix if you are running IIS. I've heard reports of IIS getting screwed up.

I've heard other various reports about this hotfix not working properly on Mac OSX 64 bit (it tries to install the 32 bit connector, which won't work if you have 64 bit Apache).

The workaround to using the wsconfig command is to unzip the wsconfig.jar file, then look in connectors/apache/{your.os}/prebuilt/ (where {your.os} could be a folder named intel-macosx64 for example) and copy the proper .so file into your {cf.root}/lib/wsconfig/1 directory (make a backup of existing files first), then restart Apache. Credit for that via Andy Allen on Twitter.

Related Entries

1 person found this page useful, what do you think?


Pete, thanks for posting this and referencing it on Ben's blog.
I ran that hotfix on our dev server (anyone running them on prd without testing elsewhere first is crazy!) Surprisingly it worked even though I was totally stumped by the readme file referencing only Apache. Thankfully I took the decision not to apply 1876 to the prd servers. While it's good to get security hotfixes I'm not impressed by Adobe's documentation or the duplicate .jar files. Just 10 minutes more effort on their part would have made all 7 hotfixes less confusing. I hope it hasn't deterred people from applying them.
I know this is an old post but I thought it was worth noting that the mod_jrun compiled from wsconfig.jar is a prett broken implementation. Apache will not support mod_gzip compression out of the box. You can correct it using my notes here:

Post a Comment


Spell Checker by Foundeo

Recent Entries


did you hack my cf?