Sunday, March 21, 2010    
Home My Books Blog ColdFusion About Me Back    

Calendar
<< Aug 2009 >>
S M T W T F S
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Search

Categories
 • Acrobat (3) [RSS]
 • Adobe (90) [RSS]
 • AdobeMAX06 (45) [RSS]
 • AdobeMAX07 (59) [RSS]
 • AdobeMAX08 (66) [RSS]
 • AdobeMAX09 (39) [RSS]
 • AdobeMAX10 (1) [RSS]
 • AIR (219) [RSS]
 • Appearances (191) [RSS]
 • Books (72) [RSS]
 • CFEclipse (15) [RSS]
 • ColdFusion (1381) [RSS]
 • Data Services (34) [RSS]
 • Fish Tank (5) [RSS]
 • Flash (197) [RSS]
 • Flex (498) [RSS]
 • Home Automation (5) [RSS]
 • Jobs (116) [RSS]
 • JRun (14) [RSS]
 • Labs (43) [RSS]
 • LiveCycle (34) [RSS]
 • MAX (232) [RSS]
 • Mobile (120) [RSS]
 • Regular Expressions (17) [RSS]
 • RIA (21) [RSS]
 • SQL (40) [RSS]
 • Stuff (536) [RSS]
 • Tips (CF Studio) (80) [RSS]
 • Tips (CF) (795) [RSS]
 • Tips (Dreamweaver) (91) [RSS]
 • Tips (Flex Builder) (2) [RSS]
 • Using CF (162) [RSS]

Other BLOGs
 • Charlie Arehart
 • Lee Brimelow
 • Ray Camden
 • Christophe Coenraets
 • Sean Corfield
 • Mihai Corlan
 • Cornel Creanga
 • Mark Doherty
 • John Dowdell
 • Danny Dura
 • Enrique Duvos
 • Steven Erat
 • Kevin Hoyt
 • Serge Jespers
 • Adam Lehman
 • Duane Nickull
 • Miti Pricope
 • Andrew Shorten
 • Ryan Stewart
 • James Ward
 • Greg Wilson
 • Full As A Goog

RSS Feeds
 • Feed
 • Subscribe

Join my mailing list and find out about new books and other topics of interest.
Thoughts, ideas, tips, musings, and pontifications (not necessarily in that order) by Ben Forta ...
NOTE: This is my personal blog, and the opinions and statements voiced here are my own.

Viewing By Entry / Main
August 17, 2009

ColdFusion And JRun Security Hotfixes Posted

Posted At : 2:04 PM
Related Categories: JRun : ColdFusion :

Security hotfixes have been posted for ColdFusion and JRun.

Comments (39) | Trackbacks (0) | Print | Send | del.icio.us | Linking Blogs
TrackBacks
There are no trackbacks for this entry.

No trackback URL. Trackbacks are only allowed via interactive form.

[Add Trackback]
Comments
[Add Comment] [Subscribe to Comments]
1. The zip file for CVE-2009-1873 and CVE-2009-1874 hotfixes contains the file jmc-app.war, not jmc-app.ear. Is this an error or is there something else we need to do? (We are using CF 8.0.1, and not JRun directly. I'm assuming we still need to apply the hotfix?)

2. CVE-2009-1876 instructions only mention Apache. Should this hotfix be applied if we are running IIS (specifically IIS7)?

Thanks. Can't find any information about the hotfixes other than the link you posted.
# Posted By Jason | 8/18/09 10:35 AM
I can't run this update command on Windows. Am I missing something?

Includes fix for CVE-2009-1876.

Steps to deploy this hotfix :

1) Backup the existing {cf_root}runtime\lib\wsconfig.jar to wsconfig.jar.bu.
2) Download the hot fix (wsconfig.jar - 2.9 MB).
3) Stop all ColdFusion servers and Apache webserver.
4) Copy the downloaded wsconfig.jar to {cf_root}runtime\lib .
5) Navigate to the {cf_root}\runtime\lib directory and run the connector upgrade:
cd {cf_root}\runtime\lib
java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v
6) Make sure the upgrade completed successfully.
7)Inspect {cf_root}\runtime\lib\wsconfig\wsconfig.log for errors
8) java -jar wsconfig.jar -info
The command should return, "Macromedia JRun 4.0 (Build 108785)".
9)Start the ColdFusion servers and apache webserver.
# Posted By Steve | 8/18/09 12:03 PM
hf801-1875.jar for CVE-2009-1875 and hf801-1878.jar for CVE-2009-1878 are the same byte for byte. I assume if you deploy CVE-2009-1875 you don't need to deploy CVE-2009-1878
# Posted By Marc | 8/18/09 1:35 PM
I wish Adobe can notify us by email.
Not everyone follow blogs for hotfixes like these...
# Posted By Henry Ho | 8/18/09 6:32 PM
I did a byte-for-byte file comparison between 1875 and 1878 jar files too - yes they are identical! Seems pointless in deploying them both, especially since they were released at the same time.

1876 is an odd one. It only refers to Apache web server (not IIS) so does that mean it doesn't need to be installed if you run IIS? (I ran it on a test server with IIS and it seemed to patch okay) and also refers to a "runtime" directory which doesn't contain a "lib" directory. Very odd. Running the connector update from a cmd prompt is scary, we don't know if this could risk upsetting a CF/IIS cluster.

Thank heavens for blogs otherwise CF devs & admins wouldn't have known about the security issues or where to get the fixes from. What have Adobe got against an update and security mailing list? Maybe in CF10 the CF Administrator can check for updates once a day and notify the administrator? Quite a few server apps are doing that these days.
# Posted By Gary Fenton | 8/18/09 8:10 PM
@Henry You can sign up to receive Adobe Security Alerts here: http://www.adobe.com/cfusion/entitlement/index.cfm...

@Steve - It is probably saying that the java command was not found, you can typically find java.exe in /runtime/jre/bin/ under your ColdFusion root directory.
# Posted By Pete Freitag | 8/18/09 8:25 PM
Adobe couldn't have produced a proper installer?
# Posted By theo den brinker | 8/19/09 12:46 AM
The wsconfig update broke my install. Only totally blank pages return now, including in the CFAdmin. Can I roll this back and start again?
# Posted By Dave Hannum | 8/19/09 9:15 AM
The wsconfig patch flat out does not work on my Dev box. XP Prof / IIS 5.1 / CF 8.0.1.
I backed it off and things were back to normal.
Ran the upgrade again and it's broke again.
Suggestions?
# Posted By Dave Hannum | 8/19/09 9:37 AM
I've run the hf801-1878.jar hot fix twice now, and after restarting CF, it is not reflected in the CF Administrator.
It still shows: Update Level /C:/ColdFusion8/lib/updates/hf801-1875.jar
This seems to uphold the earlier post by Gary Fenton that the two hot fixes are the same one. Looks as if hf801-1878.jar has the contents of hf801-1875.jar ??????
# Posted By Dave Hannum | 8/19/09 10:01 AM
@Pete Freitag - that did the trick, thanks!

@theo den brinker - I'm with you. This is a harsh way to apply these patches.

@Dave Hannum - the possibility that one of these patches could kill a production server is my worst nightmare!
# Posted By Steve | 8/19/09 10:28 AM
Thanks for the comments guys. Most users are not reporting issues with the hot fixes, but the fact that some are is very worrying. I have asked the engineering lead to take a look at this. Stay tuned.

--- Ben
# Posted By Ben Forta | 8/19/09 10:39 AM
The hotfix CVE-2009-1876 is only for apache and not for IIS.
# Posted By Asha | 8/19/09 11:15 AM
Yes the hotfix jar provided for 1875 and 1878 are the same , applying one jar should serve the purpose for both.
# Posted By Asha | 8/19/09 12:10 PM
@Asha:

The zip file for CVE-2009-1873 and CVE-2009-1874 hotfixes contains the file jmc-app.war, not jmc-app.ear. Is this an error or is there something else we need to do?

We are using CF 8.0.1 and not JRun directly. Do we still need to apply the hotfix?
# Posted By Jason | 8/19/09 12:50 PM
I had the same issue as Dave Hannum. After I installed wsconfig (CVE-2009-1876) on my dev machine (XP Pro SP2 / IIS 5.1 / CF 8.0.1) CF only returned blank pages but the CF pages still ran in the background (ex a page that required you to be logged in redirected to our login page although that was blank too).
Everything seems fine after I installed wsconfig (CVE-2009-1876) on Windows Server 2003 SP2, do I need to roll back to the old version of wsconfig because the update is only intended for Apache?

It would be very helpful if Adobe would update the security bulletin and readme files with the OS and software configurations that CVE-2009-1873, CVE-2009-1874, and CVE-2009-1876 apply to.
# Posted By Marc | 8/19/09 2:11 PM
I had the exact same issue as Dave, completely blank pages after the wsconfig update on my test server. Luckily backing it out brought CF back. Definitely test that one on an exact duplicate of your production box before deploying it.
# Posted By Kevin Knoepp | 8/19/09 2:12 PM
@Jason Yeah i checked that link and we will be correcting it but for now you can just rename the downloaded jmc-app.zip to jmc-app.ear.You will require this if you have a multiserver installation
i.e you have jmc-app.ear deployed in JRun4\servers\admin.
# Posted By Asha | 8/20/09 12:17 AM
hotfix CVE-2009-1876 is only if you are using Apache as webserver it is not required if you are using IIS.
# Posted By Asha | 8/20/09 12:19 AM
@Marc you dont need that hotfix since you are IIS.
@Kevin Can you please reconfigure apache after replacing the wsconfig.jar and try again and let me know.While reconfiguring apache can you please enable verbose logging also.
Steps to follow -
1)Stop Apache
2)Replace wsconfig.jar
3)Start Apache
4)Reconfigure Apache as webserver with verbose logging enabled.

Please let me know if you are still facing an issue.If yes please send me an email directly with the verbose logs and your configuration details - my email id asha@adobe.com.
# Posted By Asha | 8/20/09 12:26 AM
Ben and Asha why can't Adobe provide a more coherent update bulletin? 5 updates with instructions spread across mulitple text files and hotfixes that may or may not be applicable to your plus some hotfixes that are the same but renamed does not make a CF server administrator life very easy ;).

I found this great blog post which had compiled all the instructions and download links and made it easier to print out and follow:
http://www.coldfusionsecurity.org/post.cfm/help-ap...

Why couldn't Adobe have done something like this themselves? Next time can I suggest:
- you package all updates for the bulletin into zip files applicable to each version.
- if a hotfix is only applicable to a certain web server clearly note this on the bulletin.
- for a big update like this please compile all instructions into a file for each CF version (if they are different) check the cf security site above for an example.
- package update installers? I know this may be a pipe dream but if you make it hard for people to patch they won't and this could lead to CF getting a bad name as being insecure as more and more critical updates are ignored.

Please take this as a little constructive critisism from a CF server admin.
Cheers, Steve.
# Posted By Steve | 8/20/09 3:55 AM
@Asha This was on an instance of CF running with IIS.

Rather than saying "it is not required if you are using IIS." you should say "Apache only, It will break your server if you are running IIS"

Reading the instructions I saw the references to Apache but it was not clear the patch was Apache only.
# Posted By Kevin K | 8/20/09 9:51 AM
After installing all hotfixes yesterday (exept CVE-2009-1873 and CVE-2009-1874) we have a lot of "null null <br>The error occurred on line -1. " errors in our log ("StackTrace: java.lang.NullPointerException", "Type: Coldfusion.runtime.CfErrorWrapper"). Anyone else getting those errors? How can I get more information about whats going wrong?
OS: Win2003; CF 7; IIS
I'll uninstall CVE-2009-1876 tonight (we are running iis).
Thanks for any help!
# Posted By Andreas | 8/20/09 10:37 AM
For 1876, if I have VirtualHosts on Apache each using it's own wsconfig connection to their CF instance, do I need to run the wsconfig.jar file once and copy the updated mod_jrun22.so to each of the remaining folders under <cf_root>/lib/wsconfig? Also, I've read on other blogs that folks with 64-bit installations are having some difficulty. Is the wsconfig.jar file to be downloaded for 32 or 64 bit?
# Posted By Phil Duba | 8/20/09 11:01 AM
@Phil - From what I've heard the wsconfig tool will attempt to install the 32 bit apache module on a Mac OSX 64 bit Apache, I don't know if that is the case for other OS's as well. The wsconfig.jar does indeed contain the apache module .so files for 64 bit Apache versions on various OS's, I've posted some additional details about this hotfix on my blog here: http://www.petefreitag.com/item/712.cfm
# Posted By Pete Freitag | 8/20/09 11:17 AM
I note Ben's comment below. Some people will figure out solutions to these issues and not report a problem, others will not bother to apply the fix
if it looks risky because of poor instructions. I also found the reference to apache in 1876 confusing. While it looks like someone's not generalised
the instructions from the system they tested on, that may not be the case. Does the fix only apply to those using apache? It's just not clear.
Most of us developers have done this sort of thing with documentation and I appreciate the fixes being provided, but I think we need the extra 5%
effort to tidy up the instructions.

I can't find jmc-app.ear or .war for that matter on my system. While I suspect that instructions assume an install requiring a separate Jrun server
and so a Jrun management console, it's just not made clear.

I echo the comment already posted that no one wants to break their production system with a security patch.

Thanks for the comments guys. Most users are not reporting issues with the hot fixes, but the fact that some are is very worrying. I have asked the engineering lead to take a look at this. Stay tuned.

--- Ben
# Posted By Tony Gallacher | 8/21/09 5:07 AM
I uninstalled CVE-2009-1876 tonight and the "null null"-errors are gone... how did this hotfix (esp. the howto) pass any quality check? ;)
Is it correct to copy back the wsconfig.jar an re-run 'java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v' to uninstall the hotfix? Will this affect any other hotfixes? (do I need to reinstall any other hotfix again?)
System: Win2003; IIS; CF7 (Update Level: "/C:/CFusionMX7/lib/updates/hf702-1875.jar")
Any help would be appreciated!
# Posted By Andreas | 8/21/09 8:33 AM
I agree with the comments above regarding packing them into one installer, or making the page easier to navigate the multiple updates.

There seem to be several security patches recently released. Could we get a rollup for an 8.0.2 release?
# Posted By Gadi | 8/21/09 10:43 AM
I second Gadi's suggestion of having these put into an 8.0.2 rollup (along with the other previous patches/fixes released after 8.0.1). This is downwright nervewracking to not know what might be breaking on critical production servers.
# Posted By Matt F. | 8/21/09 12:22 PM
I'm still very unclear about how critical this patch is if the entire /cfide/ folder is locked down/restricted to a local IP in a server configuration - how can anyone access the vulnerable scripts if the webserver wont allow access to it?
# Posted By Jon Briccetti | 8/21/09 3:15 PM
Please verify that _logintowizard.cfm is in the cfide8.0.1.zip. When I download the zip file the _logintowizard.cfmf file is missing. I need to make sure that it is not being stripped out when I download the zip.
# Posted By Tim | 8/24/09 1:37 PM
Never mind. I found an uncorrupted zip file with the _logintowizard.cfm in the cfide8.0.1.zip here: http://secunia.com/advisories/36329/
# Posted By Tim | 8/24/09 2:39 PM
for 8.01. Updates. Tim - Not seeing the missing _logintowizard.cfm on the cfide8.0.1.zip from the adobe site as well. The zip file link is

http://download.macromedia.com/pub/coldfusion/upda...

other sites show

http://download.macromedia.com/pub/coldfusion/upda... as the correct zip which is larger and contains the _logintowizard.cfm

Can someone from Adobe please check and verify which is the correct download. Thank You

It wouldn't be a bad idea to show the updated files and dates/versions as well.
# Posted By Adam | 8/24/09 3:08 PM
I'd like to see this fixed as well. I got the notice from Adobe that there is this security risk and followed the instructions for the patch, but the patch file simply doesn't have all the files. I've posted in the adobe discussion area as well and so far no official answer. Also, I'm after the 7.x patch file rather than the 8.x file. The 7.x patch was missing the _logintowizard.cfm file as well.
# Posted By Brad | 8/25/09 12:20 PM
Adobe has silently fixed the CVE-2009-1872 and CVE-2009-1877 hotfix, which the previous one was missing "_logintowizard.cfm."

CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 7.0.2
http://download.macromedia.com/pub/coldfusion/upda...

CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 8
http://download.macromedia.com/pub/coldfusion/upda...

CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 8.0.1
http://download.macromedia.com/pub/coldfusion/upda...
# Posted By AXL | 8/27/09 9:01 AM
I'm trying to install 1878. I had to install jre first, so I installed the lates available version. I was able to run the install easilly on my dev server, but the "Select File on the Server - Retrieving initial directories ..." message in the download window never maeks it to showing any directories. I had IE 6 on the dev server but it's IE 8 on the prod; IE 8, IE 8 compatibility, and Firefox 3017 all display the same behavior.
# Posted By Forrest | 9/4/09 10:49 AM
@Forrest
If you disabled flex remoting that also disables the “browse server” functionality. You have to paste the full path in the “Update File” text box and click “submit changes” to upload a .jar file on the System Information page.
# Posted By Marc | 9/4/09 12:47 PM
d'oh ... you can lead a sysadmin to a gui but you can't make him think. I knew there had to be a way to do that, but it was too easy. Thanks.
# Posted By Forrest | 9/4/09 1:59 PM
I sure don't understand how CF works. I'm trying to install the patch for CVE-2009-1876 but this command won't work

java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v

Because there is no java file on my system. Can I just install the latest java? I have no idea how this has been running for a year without it.
# Posted By Chris Griffin | 11/20/09 10:14 AM
[Add Comment]

  © Copyright 1997-2009 Ben Forta, All Rights Reserved