Blog

17Aug
2009
ColdFusion And JRun Security Hotfixes Posted

Security hotfixes have been posted for ColdFusion and JRun.

Comments (41)



  • Jason

    1. The zip file for CVE-2009-1873 and CVE-2009-1874 hotfixes contains the file jmc-app.war, not jmc-app.ear. Is this an error or is there something else we need to do? (We are using CF 8.0.1, and not JRun directly. I'm assuming we still need to apply the hotfix?)

    2. CVE-2009-1876 instructions only mention Apache. Should this hotfix be applied if we are running IIS (specifically IIS7)?

    Thanks. Can't find any information about the hotfixes other than the link you posted.

    #1Posted by Jason | Aug 18, 2009, 10:35 AM
  • Steve

    I can't run this update command on Windows. Am I missing something?

    Includes fix for CVE-2009-1876.

    Steps to deploy this hotfix :

    1) Backup the existing {cf_root}runtime\lib\wsconfig.jar to wsconfig.jar.bu.
    2) Download the hot fix (wsconfig.jar - 2.9 MB).
    3) Stop all ColdFusion servers and Apache webserver.
    4) Copy the downloaded wsconfig.jar to {cf_root}runtime\lib .
    5) Navigate to the {cf_root}\runtime\lib directory and run the connector upgrade:
    cd {cf_root}\runtime\lib
    java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v
    6) Make sure the upgrade completed successfully.
    7)Inspect {cf_root}\runtime\lib\wsconfig\wsconfig.log for errors
    8) java -jar wsconfig.jar -info
    The command should return, "Macromedia JRun 4.0 (Build 108785)".
    9)Start the ColdFusion servers and apache webserver.

    #2Posted by Steve | Aug 18, 2009, 12:03 PM
  • Marc

    hf801-1875.jar for CVE-2009-1875 and hf801-1878.jar for CVE-2009-1878 are the same byte for byte. I assume if you deploy CVE-2009-1875 you don't need to deploy CVE-2009-1878

    #3Posted by Marc | Aug 18, 2009, 01:35 PM
  • Henry Ho

    I wish Adobe can notify us by email.
    Not everyone follow blogs for hotfixes like these...

    #4Posted by Henry Ho | Aug 18, 2009, 06:32 PM
  • Gary Fenton

    I did a byte-for-byte file comparison between 1875 and 1878 jar files too - yes they are identical! Seems pointless in deploying them both, especially since they were released at the same time.

    1876 is an odd one. It only refers to Apache web server (not IIS) so does that mean it doesn't need to be installed if you run IIS? (I ran it on a test server with IIS and it seemed to patch okay) and also refers to a "runtime" directory which doesn't contain a "lib" directory. Very odd. Running the connector update from a cmd prompt is scary, we don't know if this could risk upsetting a CF/IIS cluster.

    Thank heavens for blogs otherwise CF devs & admins wouldn't have known about the security issues or where to get the fixes from. What have Adobe got against an update and security mailing list? Maybe in CF10 the CF Administrator can check for updates once a day and notify the administrator? Quite a few server apps are doing that these days.

    #5Posted by Gary Fenton | Aug 18, 2009, 08:10 PM
  • Pete Freitag

    @Henry You can sign up to receive Adobe Security Alerts here: http://www.adobe.com/cfusion/entitlement/index.cfm...

    @Steve - It is probably saying that the java command was not found, you can typically find java.exe in /runtime/jre/bin/ under your ColdFusion root directory.

  • theo den brinker

    Adobe couldn't have produced a proper installer?

    #7Posted by theo den brinker | Aug 19, 2009, 12:46 AM
  • Dave Hannum

    The wsconfig update broke my install. Only totally blank pages return now, including in the CFAdmin. Can I roll this back and start again?

  • Dave Hannum

    The wsconfig patch flat out does not work on my Dev box. XP Prof / IIS 5.1 / CF 8.0.1.
    I backed it off and things were back to normal.
    Ran the upgrade again and it's broke again.
    Suggestions?

  • Dave Hannum

    I've run the hf801-1878.jar hot fix twice now, and after restarting CF, it is not reflected in the CF Administrator.
    It still shows: Update Level /C:/ColdFusion8/lib/updates/hf801-1875.jar
    This seems to uphold the earlier post by Gary Fenton that the two hot fixes are the same one. Looks as if hf801-1878.jar has the contents of hf801-1875.jar ??????

  • Steve

    @Pete Freitag - that did the trick, thanks!

    @theo den brinker - I'm with you. This is a harsh way to apply these patches.

    @Dave Hannum - the possibility that one of these patches could kill a production server is my worst nightmare!

    #11Posted by Steve | Aug 19, 2009, 10:28 AM
  • Ben Forta

    Thanks for the comments guys. Most users are not reporting issues with the hot fixes, but the fact that some are is very worrying. I have asked the engineering lead to take a look at this. Stay tuned.

    --- Ben

    #12Posted by Ben Forta | Aug 19, 2009, 10:39 AM
  • Asha

    The hotfix CVE-2009-1876 is only for apache and not for IIS.

    #13Posted by Asha | Aug 19, 2009, 11:15 AM
  • Asha

    Yes the hotfix jar provided for 1875 and 1878 are the same , applying one jar should serve the purpose for both.

    #14Posted by Asha | Aug 19, 2009, 12:10 PM
  • Jason

    @Asha:

    The zip file for CVE-2009-1873 and CVE-2009-1874 hotfixes contains the file jmc-app.war, not jmc-app.ear. Is this an error or is there something else we need to do?

    We are using CF 8.0.1 and not JRun directly. Do we still need to apply the hotfix?

    #15Posted by Jason | Aug 19, 2009, 12:50 PM
  • Marc

    I had the same issue as Dave Hannum. After I installed wsconfig (CVE-2009-1876) on my dev machine (XP Pro SP2 / IIS 5.1 / CF 8.0.1) CF only returned blank pages but the CF pages still ran in the background (ex a page that required you to be logged in redirected to our login page although that was blank too).
    Everything seems fine after I installed wsconfig (CVE-2009-1876) on Windows Server 2003 SP2, do I need to roll back to the old version of wsconfig because the update is only intended for Apache?

    It would be very helpful if Adobe would update the security bulletin and readme files with the OS and software configurations that CVE-2009-1873, CVE-2009-1874, and CVE-2009-1876 apply to.

    #16Posted by Marc | Aug 19, 2009, 02:11 PM
  • Kevin Knoepp

    I had the exact same issue as Dave, completely blank pages after the wsconfig update on my test server. Luckily backing it out brought CF back. Definitely test that one on an exact duplicate of your production box before deploying it.

    #17Posted by Kevin Knoepp | Aug 19, 2009, 02:12 PM
  • Asha

    @Jason Yeah i checked that link and we will be correcting it but for now you can just rename the downloaded jmc-app.zip to jmc-app.ear.You will require this if you have a multiserver installation
    i.e you have jmc-app.ear deployed in JRun4\servers\admin.

    #18Posted by Asha | Aug 20, 2009, 12:17 AM
  • Asha

    hotfix CVE-2009-1876 is only if you are using Apache as webserver it is not required if you are using IIS.

    #19Posted by Asha | Aug 20, 2009, 12:19 AM
  • Asha

    @Marc you dont need that hotfix since you are IIS.
    @Kevin Can you please reconfigure apache after replacing the wsconfig.jar and try again and let me know.While reconfiguring apache can you please enable verbose logging also.
    Steps to follow -
    1)Stop Apache
    2)Replace wsconfig.jar
    3)Start Apache
    4)Reconfigure Apache as webserver with verbose logging enabled.

    Please let me know if you are still facing an issue.If yes please send me an email directly with the verbose logs and your configuration details - my email id asha@adobe.com.

    #20Posted by Asha | Aug 20, 2009, 12:26 AM
  • Steve

    Ben and Asha why can't Adobe provide a more coherent update bulletin? 5 updates with instructions spread across mulitple text files and hotfixes that may or may not be applicable to your plus some hotfixes that are the same but renamed does not make a CF server administrator life very easy ;).

    I found this great blog post which had compiled all the instructions and download links and made it easier to print out and follow:
    http://www.coldfusionsecurity.org/post.cfm/help-ap...

    Why couldn't Adobe have done something like this themselves? Next time can I suggest:
    - you package all updates for the bulletin into zip files applicable to each version.
    - if a hotfix is only applicable to a certain web server clearly note this on the bulletin.
    - for a big update like this please compile all instructions into a file for each CF version (if they are different) check the cf security site above for an example.
    - package update installers? I know this may be a pipe dream but if you make it hard for people to patch they won't and this could lead to CF getting a bad name as being insecure as more and more critical updates are ignored.

    Please take this as a little constructive critisism from a CF server admin.
    Cheers, Steve.

    #21Posted by Steve | Aug 20, 2009, 03:55 AM
  • Kevin K

    @Asha This was on an instance of CF running with IIS.

    Rather than saying "it is not required if you are using IIS." you should say "Apache only, It will break your server if you are running IIS"

    Reading the instructions I saw the references to Apache but it was not clear the patch was Apache only.

    #22Posted by Kevin K | Aug 20, 2009, 09:51 AM
  • Andreas

    After installing all hotfixes yesterday (exept CVE-2009-1873 and CVE-2009-1874) we have a lot of "null null <br>The error occurred on line -1. " errors in our log ("StackTrace: java.lang.NullPointerException", "Type: Coldfusion.runtime.CfErrorWrapper"). Anyone else getting those errors? How can I get more information about whats going wrong?
    OS: Win2003; CF 7; IIS
    I'll uninstall CVE-2009-1876 tonight (we are running iis).
    Thanks for any help!

    #23Posted by Andreas | Aug 20, 2009, 10:37 AM
  • Phil Duba

    For 1876, if I have VirtualHosts on Apache each using it's own wsconfig connection to their CF instance, do I need to run the wsconfig.jar file once and copy the updated mod_jrun22.so to each of the remaining folders under <cf_root>/lib/wsconfig? Also, I've read on other blogs that folks with 64-bit installations are having some difficulty. Is the wsconfig.jar file to be downloaded for 32 or 64 bit?

    #24Posted by Phil Duba | Aug 20, 2009, 11:01 AM
  • Pete Freitag

    @Phil - From what I've heard the wsconfig tool will attempt to install the 32 bit apache module on a Mac OSX 64 bit Apache, I don't know if that is the case for other OS's as well. The wsconfig.jar does indeed contain the apache module .so files for 64 bit Apache versions on various OS's, I've posted some additional details about this hotfix on my blog here: http://www.petefreitag.com/item/712.cfm

  • Tony Gallacher

    I note Ben's comment below. Some people will figure out solutions to these issues and not report a problem, others will not bother to apply the fix
    if it looks risky because of poor instructions. I also found the reference to apache in 1876 confusing. While it looks like someone's not generalised
    the instructions from the system they tested on, that may not be the case. Does the fix only apply to those using apache? It's just not clear.
    Most of us developers have done this sort of thing with documentation and I appreciate the fixes being provided, but I think we need the extra 5%
    effort to tidy up the instructions.

    I can't find jmc-app.ear or .war for that matter on my system. While I suspect that instructions assume an install requiring a separate Jrun server
    and so a Jrun management console, it's just not made clear.

    I echo the comment already posted that no one wants to break their production system with a security patch.

    Thanks for the comments guys. Most users are not reporting issues with the hot fixes, but the fact that some are is very worrying. I have asked the engineering lead to take a look at this. Stay tuned.

    --- Ben

    #26Posted by Tony Gallacher | Aug 21, 2009, 05:07 AM
  • Andreas

    I uninstalled CVE-2009-1876 tonight and the "null null"-errors are gone... how did this hotfix (esp. the howto) pass any quality check? ;)
    Is it correct to copy back the wsconfig.jar an re-run 'java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v' to uninstall the hotfix? Will this affect any other hotfixes? (do I need to reinstall any other hotfix again?)
    System: Win2003; IIS; CF7 (Update Level: "/C:/CFusionMX7/lib/updates/hf702-1875.jar")
    Any help would be appreciated!

    #27Posted by Andreas | Aug 21, 2009, 08:33 AM
  • Gadi

    I agree with the comments above regarding packing them into one installer, or making the page easier to navigate the multiple updates.

    There seem to be several security patches recently released. Could we get a rollup for an 8.0.2 release?

    #28Posted by Gadi | Aug 21, 2009, 10:43 AM
  • Matt F.

    I second Gadi's suggestion of having these put into an 8.0.2 rollup (along with the other previous patches/fixes released after 8.0.1). This is downwright nervewracking to not know what might be breaking on critical production servers.

    #29Posted by Matt F. | Aug 21, 2009, 12:22 PM
  • Jon Briccetti

    I'm still very unclear about how critical this patch is if the entire /cfide/ folder is locked down/restricted to a local IP in a server configuration - how can anyone access the vulnerable scripts if the webserver wont allow access to it?

    #30Posted by Jon Briccetti | Aug 21, 2009, 03:15 PM
  • Tim

    Please verify that _logintowizard.cfm is in the cfide8.0.1.zip. When I download the zip file the _logintowizard.cfmf file is missing. I need to make sure that it is not being stripped out when I download the zip.

    #31Posted by Tim | Aug 24, 2009, 01:37 PM
  • Tim

    Never mind. I found an uncorrupted zip file with the _logintowizard.cfm in the cfide8.0.1.zip here: http://secunia.com/advisories/36329/

    #32Posted by Tim | Aug 24, 2009, 02:39 PM
  • Adam

    for 8.01. Updates. Tim - Not seeing the missing _logintowizard.cfm on the cfide8.0.1.zip from the adobe site as well. The zip file link is

    http://download.macromedia.com/pub/coldfusion/upda...

    other sites show

    http://download.macromedia.com/pub/coldfusion/upda... as the correct zip which is larger and contains the _logintowizard.cfm

    Can someone from Adobe please check and verify which is the correct download. Thank You

    It wouldn't be a bad idea to show the updated files and dates/versions as well.

    #33Posted by Adam | Aug 24, 2009, 03:08 PM
  • Brad

    I'd like to see this fixed as well. I got the notice from Adobe that there is this security risk and followed the instructions for the patch, but the patch file simply doesn't have all the files. I've posted in the adobe discussion area as well and so far no official answer. Also, I'm after the 7.x patch file rather than the 8.x file. The 7.x patch was missing the _logintowizard.cfm file as well.

    #34Posted by Brad | Aug 25, 2009, 12:20 PM
  • AXL

    Adobe has silently fixed the CVE-2009-1872 and CVE-2009-1877 hotfix, which the previous one was missing "_logintowizard.cfm."

    CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 7.0.2
    http://download.macromedia.com/pub/coldfusion/upda...

    CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 8
    http://download.macromedia.com/pub/coldfusion/upda...

    CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 8.0.1
    http://download.macromedia.com/pub/coldfusion/upda...

    #35Posted by AXL | Aug 27, 2009, 09:01 AM
  • Forrest

    I'm trying to install 1878. I had to install jre first, so I installed the lates available version. I was able to run the install easilly on my dev server, but the "Select File on the Server - Retrieving initial directories ..." message in the download window never maeks it to showing any directories. I had IE 6 on the dev server but it's IE 8 on the prod; IE 8, IE 8 compatibility, and Firefox 3017 all display the same behavior.

    #36Posted by Forrest | Sep 4, 2009, 10:49 AM
  • Marc

    @Forrest
    If you disabled flex remoting that also disables the “browse server” functionality. You have to paste the full path in the “Update File” text box and click “submit changes” to upload a .jar file on the System Information page.

    #37Posted by Marc | Sep 4, 2009, 12:47 PM
  • Forrest

    d'oh ... you can lead a sysadmin to a gui but you can't make him think. I knew there had to be a way to do that, but it was too easy. Thanks.

    #38Posted by Forrest | Sep 4, 2009, 01:59 PM
  • Chris Griffin

    I sure don't understand how CF works. I'm trying to install the patch for CVE-2009-1876 but this command won't work

    java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v

    Because there is no java file on my system. Can I just install the latest java? I have no idea how this has been running for a year without it.

  • JM

    I am running coldfusion version 7 and planing to
    upgrade to 8 which requires hotfixes to coldfusion
    and JRun. If I upgrade to 9 do I still need to apply
    the fixes to 7 ??
    Thank you for your advise

    #40Posted by JM | Apr 8, 2010, 04:07 PM
  • Rowann Suayan

    We have a remote CF deployment, separate boxes for Web and App servers.
    We've applied the patches and get the expected "Macromedia JRun 4.0 (Build 108785)" response after running the info command.
    However, we checked our logs and cfserver.log after every restart still says "Starting Macromedia JRun 4.0 (Build 108673), coldfusion server"
    Is this as expected? Are there any other ways to test that the deployment has been done properly?
    Thanks in advance!