41 thoughts

  1. 1. The zip file for CVE-2009-1873 and CVE-2009-1874 hotfixes contains the file jmc-app.war, not jmc-app.ear. Is this an error or is there something else we need to do? (We are using CF 8.0.1, and not JRun directly. I’m assuming we still need to apply the hotfix?)
    2. CVE-2009-1876 instructions only mention Apache. Should this hotfix be applied if we are running IIS (specifically IIS7)?
    Thanks. Can’t find any information about the hotfixes other than the link you posted.

  2. I can’t run this update command on Windows. Am I missing something?
    Includes fix for CVE-2009-1876.
    Steps to deploy this hotfix :
    1) Backup the existing {cf_root}runtimelibwsconfig.jar to wsconfig.jar.bu.
    2) Download the hot fix (wsconfig.jar – 2.9 MB).
    3) Stop all ColdFusion servers and Apache webserver.
    4) Copy the downloaded wsconfig.jar to {cf_root}runtimelib .
    5) Navigate to the {cf_root}runtimelib directory and run the connector upgrade:
    cd {cf_root}runtimelib
    java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v
    6) Make sure the upgrade completed successfully.
    7)Inspect {cf_root}runtimelibwsconfigwsconfig.log for errors
    8) java -jar wsconfig.jar -info
    The command should return, "Macromedia JRun 4.0 (Build 108785)".
    9)Start the ColdFusion servers and apache webserver.

  3. hf801-1875.jar for CVE-2009-1875 and hf801-1878.jar for CVE-2009-1878 are the same byte for byte. I assume if you deploy CVE-2009-1875 you don’t need to deploy CVE-2009-1878

  4. I did a byte-for-byte file comparison between 1875 and 1878 jar files too – yes they are identical! Seems pointless in deploying them both, especially since they were released at the same time.
    1876 is an odd one. It only refers to Apache web server (not IIS) so does that mean it doesn’t need to be installed if you run IIS? (I ran it on a test server with IIS and it seemed to patch okay) and also refers to a "runtime" directory which doesn’t contain a "lib" directory. Very odd. Running the connector update from a cmd prompt is scary, we don’t know if this could risk upsetting a CF/IIS cluster.
    Thank heavens for blogs otherwise CF devs & admins wouldn’t have known about the security issues or where to get the fixes from. What have Adobe got against an update and security mailing list? Maybe in CF10 the CF Administrator can check for updates once a day and notify the administrator? Quite a few server apps are doing that these days.

  5. The wsconfig patch flat out does not work on my Dev box. XP Prof / IIS 5.1 / CF 8.0.1.
    I backed it off and things were back to normal.
    Ran the upgrade again and it’s broke again.
    Suggestions?

  6. I’ve run the hf801-1878.jar hot fix twice now, and after restarting CF, it is not reflected in the CF Administrator.
    It still shows: Update Level /C:/ColdFusion8/lib/updates/hf801-1875.jar
    This seems to uphold the earlier post by Gary Fenton that the two hot fixes are the same one. Looks as if hf801-1878.jar has the contents of hf801-1875.jar ??????

  7. @Pete Freitag – that did the trick, thanks!
    @theo den brinker – I’m with you. This is a harsh way to apply these patches.
    @Dave Hannum – the possibility that one of these patches could kill a production server is my worst nightmare!

  8. Thanks for the comments guys. Most users are not reporting issues with the hot fixes, but the fact that some are is very worrying. I have asked the engineering lead to take a look at this. Stay tuned.
    — Ben

  9. Yes the hotfix jar provided for 1875 and 1878 are the same , applying one jar should serve the purpose for both.

  10. @Asha:
    The zip file for CVE-2009-1873 and CVE-2009-1874 hotfixes contains the file jmc-app.war, not jmc-app.ear. Is this an error or is there something else we need to do?
    We are using CF 8.0.1 and not JRun directly. Do we still need to appl

  11. I had the same issue as Dave Hannum. After I installed wsconfig (CVE-2009-1876) on my dev machine (XP Pro SP2 / IIS 5.1 / CF 8.0.1) CF only returned blank pages but the CF pages still ran in the background (ex a page that required you to be logged in redirected to our login page although that was blank too).
    Everything seems fine after I installed wsconfig (CVE-2009-1876) on Windows Server 2003 SP2, do I need to roll back to the old version of wsconfig because the update is only intended for Apache?
    It would be very helpful if Adobe would update the security bulletin and readme files with the OS and software configurations that CVE-2009-1873, CVE-2009-1874, and CVE-2009-1876 apply to.

  12. I had the exact same issue as Dave, completely blank pages after the wsconfig update on my test server. Luckily backing it out brought CF back. Definitely test that one on an exact duplicate of your production box before deploying it.

  13. @Jason Yeah i checked that link and we will be correcting it but for now you can just rename the downloaded jmc-app.zip to jmc-app.ear.You will require this if you have a multiserver installation
    i.e you have jmc-app.ear deployed in JRun4serversadmi

  14. @Marc you dont need that hotfix since you are IIS.
    @Kevin Can you please reconfigure apache after replacing the wsconfig.jar and try again and let me know.While reconfiguring apache can you please enable verbose logging also.
    Steps to follow –
    1

  15. Ben and Asha why can’t Adobe provide a more coherent update bulletin? 5 updates with instructions spread across mulitple text files and hotfixes that may or may not be applicable to your plus some hotfixes that are the same but renamed does not make a CF server administrator life very easy ;).
    I found this great blog post which had compiled all the instructions and download links and made it easier to print out and follow:
    http://www.coldfusionsecurity.org/post.cfm/help-applying-coldfusion-hotfixes-for-vulnerability-apsb09-12
    Why couldn’t Adobe have done something like this themselves? Next time can I suggest:
    – you package all updates for the bulletin into zip files applicable to each version.
    – if a hotfix is only applicable to a certain web server clearly note this on the bulletin.
    – for a big update like this please compile all instructions into a file for each CF version (if they are different) check the cf security site above for an example.
    – package update installers? I know this may be a pipe dream but if you make it hard for people to patch they won’t and this could lead to CF getting a bad name as being insecure as more and more critical updates are ignored.
    Please take this as a little constructive critisism from a CF server admin.
    Cheers, Steve.

  16. @Asha This was on an instance of CF running with IIS.
    Rather than saying "it is not required if you are using IIS." you should say "Apache only, It will break your server if you are running IIS"
    Reading the instructions I

  17. After installing all hotfixes yesterday (exept CVE-2009-1873 and CVE-2009-1874) we have a lot of "null null <br>The error occurred on line -1. " errors in our log ("StackTrace: java.lang.NullPointerException", "Type: Coldfusion.runtime.CfErrorWrapper"). Anyone else getting those errors? How can I get more information about whats going wrong?
    OS: Win2003; CF 7; IIS
    I’ll uninstall CVE-2009-1876 tonight (we are running iis).
    Thanks for any help!

  18. For 1876, if I have VirtualHosts on Apache each using it’s own wsconfig connection to their CF instance, do I need to run the wsconfig.jar file once and copy the updated mod_jrun22.so to each of the remaining folders under <cf_root>/lib/wsconfig? Also, I’ve read on other blogs that folks with 64-bit installations are having some difficulty. Is the wsconfig.jar file to be downloaded for 32 or 64 bit?

  19. @Phil – From what I’ve heard the wsconfig tool will attempt to install the 32 bit apache module on a Mac OSX 64 bit Apache, I don’t know if that is the case for other OS’s as well. The wsconfig.jar does indeed contain the apache module .so files for 64 bi

  20. I second Gadi’s suggestion of having these put into an 8.0.2 rollup (along with the other previous patches/fixes released after 8.0.1). This is downwright nervewracking to not know what might be breaking on critical production servers.

  21. I note Ben’s comment below. Some people will figure out solutions to these issues and not report a problem, others will not bother to apply the fix
    if it looks risky because of poor instructions. I also found the reference to apache in 1876 confusing. While it looks like someone’s not generalised
    the instructions from the system they tested on, that may not be the case. Does the fix only apply to those using apache? It’s just not clear.
    Most of us developers have done this sort of thing with documentation and I appreciate the fixes being provided, but I think we need the extra 5%
    effort to tidy up the instructions.
    I can’t find jmc-app.ear or .war for that matter on my system. While I suspect that instructions assume an install requiring a separate Jrun server
    and so a Jrun management console, it’s just not made clear.
    I echo the comment already posted that no one wants to break their production system with a security patch.
    Thanks for the comments guys. Most users are not reporting issues with the hot fixes, but the fact that some are is very worrying. I have asked the engineering lead to take a look at this. Stay tuned.
    — Ben

  22. I uninstalled CVE-2009-1876 tonight and the "null null"-errors are gone… how did this hotfix (esp. the howto) pass any quality check? 😉
    Is it correct to copy back the wsconfig.jar an re-run ‘java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v’ to uninstall the hotfix? Will this affect any other hotfixes? (do I need to reinstall any other hotfix again?)
    System: Win2003; IIS; CF7 (Update Level: "/C:/CFusionMX7/lib/updates/hf702-1875.jar")
    Any help would be appreciated!

  23. I agree with the comments above regarding packing them into one installer, or making the page easier to navigate the multiple updates.
    There seem to be several security patches recently released. Could we get a rollup for an 8.0.2 release?

  24. I’m still very unclear about how critical this patch is if the entire /cfide/ folder is locked down/restricted to a local IP in a server configuration – how can anyone access the vulnerable scripts if the webserver wont allow access to it?

  25. Please verify that _logintowizard.cfm is in the cfide8.0.1.zip. When I download the zip file the _logintowizard.cfmf file is missing. I need to make sure that it is not being stripped out when I download the zip.

  26. for 8.01. Updates. Tim – Not seeing the missing _logintowizard.cfm on the cfide8.0.1.zip from the adobe site as well. The zip file link is
    http://download.macromedia.com/pub/coldfusion/updates/801/CFIDE8.0.1.zip
    other sites show
    http://download.macromedia.com/pub/coldfusion/updates/8/CFIDE-8.zip as the correct zip which is larger and contains the _logintowizard.cfm
    Can someone from Adobe please check and verify which is the correct download. Thank You
    It wouldn’t be a bad idea to show the updated files and dates/versions as well.

  27. I’d like to see this fixed as well. I got the notice from Adobe that there is this security risk and followed the instructions for the patch, but the patch file simply doesn’t have all the files. I’ve posted in the adobe discussion area as well and so far no official answer. Also, I’m after the 7.x patch file rather than the 8.x file. The 7.x patch was missing the _logintowizard.cfm file as well.

  28. Adobe has silently fixed the CVE-2009-1872 and CVE-2009-1877 hotfix, which the previous one was missing "_logintowizard.cfm."
    CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 7.0.2
    http://download.macromedia.com/pub/coldfusion/updates/702/7_0_2.zip
    CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 8
    http://download.macromedia.com/pub/coldfusion/updates/8/8.zip
    CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 8.0.1
    http://download.macromedia.com/pub/coldfusion/updates/801/8_0_1.zip

  29. I’m trying to install 1878. I had to install jre first, so I installed the lates available version. I was able to run the install easilly on my dev server, but the "Select File on the Server – Retrieving initial directories …" message in the download window never maeks it to showing any directories. I had IE 6 on the dev server but it’s IE 8 on the prod; IE 8, IE 8 compatibility, and Firefox 3017 all display the same behavior.

  30. @Forrest
    If you disabled flex remoting that also disables the “browse server” functionality. You have to paste the full path in the “Update File” text box and click “submit changes” to upload a .jar file on the Syst

  31. d’oh … you can lead a sysadmin to a gui but you can’t make him think. I knew there had to be a way to do that, but it was too easy. Thanks.

  32. I sure don’t understand how CF works. I’m trying to install the patch for CVE-2009-1876 but this command won’t work
    java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v
    Because there is no java file on my system. Can I just install the latest java? I have no idea how this has been running for a year without it.

  33. I am running coldfusion version 7 and planing to
    upgrade to 8 which requires hotfixes to coldfusion
    and JRun. If I upgrade to 9 do I still need to apply
    the fixes to 7 ??
    Thank you for your advise

  34. We have a remote CF deployment, separate boxes for Web and App servers.
    We’ve applied the patches and get the expected "Macromedia JRun 4.0 (Build 108785)" response after running the info command.
    However, we checked our logs and cfserver.log after every restart still says "Starting Macromedia JRun 4.0 (Build 108673), coldfusion server"
    Is this as expected? Are there any other ways to test that the deployment has been done properly?
    Thanks in advance!

Leave a Reply