Thoughts, ideas, tips, musings, and pontifications (not necessarily in that order) by Ben Forta ...
NOTE: This is my personal blog, and the opinions and statements voiced here are my own.
Posted At : 10:52 AM
Related Categories:
ColdFusion :
The ColdFusion team has just posted a security hotfix to address a potential cross-site scripting vulnerability in ColdFusion 8.x and 9.x (Windows, Macintosh and Unix).
Under Section 1 > CF9.0.1 > Step 5 it tells you to go to your CF installation and "If hf901-00001.jar, hf901-00002.jar or hf901-00003.jar exist, delete them".
However hf901-00003.jar is the new HotFix file that you will have just added. Presumably only 00001 and 00002 should be deleted?
I just recently applied hotfix 2 and have a file named chf9010002.jar. The instructions say I should delete a file named hf901-00002.jar -- should I delete the file I have? I'm guessing so, but want to be sure before applying this hotfix on my client's production server.
One thing that has never been clear: Are all hotfixes cumulative? It seems that security "patches" are much different from "hotfixes". Should security patches only be applied on a case by case basis depending upon your server configuration? Should everyone always install any available security patches?
It is "recommended" that a server is always updated with Security patches as and when there is one available. As once the vulnerability is public the server is vulnerable and can be a victim.
No not all hot-fixes are cumulative. Security patches are different from "hotfixes".
Security patches are conditional cumulative of previous security patches for the ColdFusion version. Having said that, "Conditional Cumulative" here means that, it might not contain some of previous security patches like "Blaze DS patch". Another example would be, like the December Security patch, is cumulative Security patch, but it "Does not" contain files from "CFIDE/" or "WEB-INF/" as those files were not affected in this patch. (This is done generally to minimize the number of steps required to install a security patch.)
Hence some one who has already installed previous Security patches, can only take update from December patch. If not one can take the complete Security hot-fix bundle. But the complete bundle will also not have fixes like "Blaze DS" patches etc.
Under Section 1 > CF9.0.1 > Step 5 it tells you to go to your CF installation and "If hf901-00001.jar, hf901-00002.jar or hf901-00003.jar exist, delete them".
However hf901-00003.jar is the new HotFix file that you will have just added. Presumably only 00001 and 00002 should be deleted?
I followed the instructions and deleted "hfxxx-00003.jar" and it seems to work correctly.
(In my case it was CF 8.0.1, though.)
The instructions have now been corrected anyway.
One thing that has never been clear:
Are all hotfixes cumulative? It seems that security "patches" are much different from "hotfixes". Should security patches only be applied on a case by case basis depending upon your server configuration? Should everyone always install any available security patches?
--
Thanks,
Daniel Elmore
http://www.danielelmore.com
It is "recommended" that a server is always updated with Security patches as and when there is one available. As once the vulnerability is public the server is vulnerable and can be a victim.
No not all hot-fixes are cumulative. Security patches are different from "hotfixes".
Security patches are conditional cumulative of previous security patches for the ColdFusion version. Having said that, "Conditional Cumulative" here means that, it might not contain some of previous security patches like "Blaze DS patch". Another example would be, like the December Security patch, is cumulative Security patch, but it "Does not" contain files from "CFIDE/" or "WEB-INF/" as those files were not affected in this patch. (This is done generally to minimize the number of steps required to install a security patch.)
Hence some one who has already installed previous Security patches, can only take update from December patch. If not one can take the complete Security hot-fix bundle. But the complete bundle will also not have fixes like "Blaze DS" patches etc.
Hope this helps.
Shilpi
Security Czar, ColdFusion Server Team