You May Need to Reapply CF Security Hotfix CVE-2009-1877
Back in August Adobe released a series of ColdFusion security Hotfixes in security bulletin APSB09-12. One of the vulnerabilities that was supposed to be fixed was a Cross Site Scripting vulnerability that I found and reported to Adobe, known as CVE-2009-1877.
When the hotfix was released I tested it, and found that they didn't fully fix the issue. I reported this back to Adobe, they confirmed that the hotfix was not complete, and came back with another hotfix for me to test within a few days. I confirmed that it was fixed, and waited for Adobe to issue another security bulletin.
Two months go by, and still no bulletin, so I emailed the Adobe security team last week to get a status update. They told me that they updated the hotfix on August 20th. The APSB09-12 page made no mention of this update in the Revisions section. They quickly updated that to show that hotfix was updated, I suggested that they release another security bulletin for the folks that installed the update right away, but they let me know they have no intention of doing that.
To make a long story short, if you installed the security hotfixes when they first were released you need to reapply Hotfix CVE-2009-1877.
If you aren't sure when you installed it you can use my free Hack My CF service to test your server. It will let you know you need to apply Hotfix CVE-2009-1877 again.
Links for hotfix CVE-2009-1877 can be found here:
- HackMyCF Updated for APSB11-29 Security Hotfix - December 15, 2011
- Adobe eSeminar on FuseGuard - October 26, 2011
- Determining Which Cumulative Hotfixes are Installed on ColdFusion - September 20, 2011
- Recent ColdFusion Security Hotfix Updated Today - March 7, 2011
- Path Traversal Vulnerability Security Hotfix for ColdFusion Released - August 12, 2010
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained