Pete Freitag Pete Freitag

Setup ColdFusion 9.0.1 Fully Patched

coldfusion

Adobe this week released a security hotfix for the HashDos vulnerability for ColdFusion versions 8.0 through 9.0.1. Today I was setting up a new secure ColdFusion instance for a client, and I though I'd document the steps needed to go from ColdFusion 9.0 to ColdFusion 9.0.1 fully patched (this doesn't include other lockdown steps I may take, this is just focused on what patches to install).

  1. Install ColdFusion 9.0 - If you are running on IIS7, you may want to skip the Web Server Connector, and do it manually after the next step (so you can skip installing IIS6 compatibility mode).
  2. Install ColdFusion 9.0.1
  3. Configure IIS7 using wsconfig - If you are running IIS7 you can now use the native IIS7 connector provided in the ColdFusion 9.0.1 update, run {cf-root}/runtime/bin/wsconfig.exe
  4. Install ColdFusion 9.0.1 Cumulative Hotfix 2 - This includes all security hotfixes prior to and including APSB11-14.
  5. Install APSB12-21 September 2012 Using Section 1 - This hotfix includes prior security hotfixes such as ABSP11-29, ABSP12-06, and APSB12-15, we know this because the instructions tell you to delete prior hotfixes: hf901-00001.jar, hf901-00002.jar, hf901-00003.jar, hf901-00004.jar or hf901-00005.jar if they exist..
  6. Check with Adobe Security to make sure no hotfixes were posted prior to September 11, 2012 (when this page was last updated)

I have updated this page several times as new hotfixes are released for CF 9.0.1, so you may consider bookmarking this page.

If you are not sure what hotfixes you have installed our HackMyCF paid service can let you know which hotfixes are installed and which are not on CF 9.0.1 - here's a screenshot showing an out of date server:

HackMyCF Screenshot

What about ColdFusion 9.0.2?

As you may know ColdFusion 9.0.2 is the latest version of ColdFusion that you can download - it includes all security patches (up to and including APSB12-15) out of the box. Once 9.0.2 is installed you will also need to install security hotfix APSB12-21.


Like this? Follow me ↯

Setup ColdFusion 9.0.1 Fully Patched was first published on March 16, 2012.

If you like reading about coldfusion, security, hotfix, or patch then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

CFBreak
The weekly newsletter for the CFML Community


Comments

An easier way to patch ColdFusion 9.0.1 (and 8.0.1 for that matter) is to use Unofficial Updater 2.

https://github.com/dcepler/unofficial-updater2#readme
by David Epler on 03/18/2012 at 8:55:44 PM UTC
Which way should one go from release 9.0.1 hotfix 2 :

APSB1215 for 9.0.1
http://www.adobe.com/support/security/bulletins/apsb12-15.html

OR

Coldfusion 9.0.2
http://helpx.adobe.com/coldfusion/release-note/coldfusion-9-0-update-2.html

They both seem to be released about the same time, but it appears as though 9.0.2 is the new fully patched install, true???
by markiejee on 07/16/2012 at 7:53:19 PM UTC
@markiejee if you do not need verity support I'd go with the 9.0.2 install, the 9.0.2 version also includes the June 2012 security hotfix so there are no patches to install currently (that could change in the future ofcourse): http://blogs.coldfusion.com/post.cfm/security-hot-fix-for-coldfusion-june-2012
by Pete Freitag on 08/28/2012 at 1:52:42 PM UTC