A security hotfix has just been released for ColdFusion 8 and 9. This hotfix addresses a potential cross site scripting vulnerability.
ColdFusion Security Hotfix Released
30 responses to “ColdFusion Security Hotfix Released”
-
I just installed security update APSB10-11 my local machine and now whenever I try to access any of my datasources I get this error:
"Datasource ExceptionLog could not be found."
where ExceptionLog is the datasource name.
I am running Windows 7 64 bit with Coldfusion 8.0.1 64 bit Developer Edition with Cumulative Hotfix 4, all hot fixes not in CHF4, and all security patches.
Removing security update APSB10-11 fixed the problem -
I just installed security update APSB10-11 my local machine and now whenever I try to access any of my datasources I get this error:
"Datasource ExceptionLog could not be found."
where ExceptionLog is the datasource name.
I am running Windows 7 64 bit with Coldfusion 8.0.1 64bit Developer Edition with Cumulative Hotfix 4, all hot fixes not in CHF4, and all security patches.
Removing security update APSB10-11 fixed the problem -
Ben, our 2 dev machines are 32-bit Windows 7. Definitely not 64 bit only.
-
I’ll pass that long, stay tuned …
— Ben -
When I applied the hotfix, it didn’t break anything, but in the system information, the update level is still showing the previous one that was installed.
-
Yes, and I can confirm the same on my development box, still running XP, 32-bit.
-
Same issue on 64 bit Linux. Rolled back and all good. Will stay tuned for an update.
-
We just tried applying the 8.01 HF on 2 different dev machines and after restarting CF could no longer connect to any datasources using <cfquery>. MySQL connections gave the error message "Datasource X could not be found", for SQL Server it was "coldfusion.sql.Executive.getDatasource1(Ljava/lang/String;)Ljavax/sql/DataSource;"
Verifying the datasources in the CF Administrator worked ok, though. -
Someone at Adobe is looking into this now. Will keep you all posted on the results.
-
Thanks, Alison … having the same trouble here. Luckily installed it first on my dev machine and not one of the servers. 8.0.1 on Windows XP, 32-bit, but same issue on every datasource. The DSNs validate fine in CF Admin, but apps can’t find them.
-
I have received the same issue, after removing the hotfix the issue was resolved, I re-applied the hotfix and received the same error.
On with Adobe now to create a support incident. -
Looks like the engineering team has figure out the issue. Details on their way …
— Ben -
Looks like there is an issue with CF8.0.1 64-bit with Hotfix 4 applied, where it doesn’t like the filename convention of the security update. Only CF8.0.1 64-bit with Hotfix 4 is impacted, so if you’re using that version don’t apply the update yet.
— Ben -
Just wanted to chime in that our Win2003 Server which is 32-bit is also experiencing this epic failure as well…
CFMX 8.0.1 Rollup-4 running on 32bit windows and Java 1.6.0_20. -
The reported update level never changing is a known issue, check the update file is listed in the set of jar’s as the only real way to know.
-
Issue resolved – it was isolated to CF8.0.1 with hotfix 4 (32 and 64 bit). Please review the updated technote
http://kb2.adobe.com/cps/841/cpsid_84102.html -
Issue resolved – it was isolated to CF8.0.1 with hotfix 4 (32 and 64 bit). Please review the updated technote
http://kb2.adobe.com/cps/841/cpsid_84102.html -
Given the problems with the fix, I want to wait a bit. The second and third vulnerability do not seem that critical, at least for my installations, how serious is the first one? Realistically.
-
Ahem, rather disappointing Adobe released a security hotfix without having tested it on their own most recent cumulative hotfix. I expect more rigorous QA.
-
Chris, I agree completely! This was a screw-up, and the team is going to have to figure out how the heck it happened, and how to ensure that it does not happen again.
— Ben -
I have tried the latest hotfix update and I still get the following error. unexpected constant #353 96
I can’t even get the Administrator login page. I have tried to roll back and then I get this error unexpected constant #55 0
Anyone have any ideas about what may be going on here? I would really hate to have to re-install CF 8, to bad we don’t have CF9 bought yet I would just install it! -
@Becky, you don’t have to reinstall CF8! Just go into C:ColdFusion8libupdates and remove the file ‘shf8010001.jar’. Then stop / start the CF Application Service and you should be back to your previous update.
-
@Jason, I had already tried that option and I get the same error.
-
Can somone confirm if this security patch applies to 7.0.2? I contacted adobe phone support and they forward me to forums.adobe.com and stated there is no phone support for server products.
-
"no phone support for server products" is a lie, I’ve had several myself with Adobe support over ColdFusion.
Try again, it’s ‘well known’ to be hard to explain you are not calling about a desktop system 🙂 -
Even the updated patch is still causing issues for me: CF9 Enterprise on Windows Server 2008 64-bit. Most things work, but the transfer framework will not initiate. It bombs when coldspring tries to create the transferFactory:
Bean creation exception during init() of transfer.TransferFactory : <br>The error occurred on line 817.
Aargh! Had to remove the jar file to have my site running smoothly again. -
I too had to roll back this morning. Most things worked, but I discovered today that our install of the CommonSpot demo site (version 6.0) was broken. Line 51 of database.cfm was failing:
dsn = dsservice.getDataSource(arguments.dsname); -
@Carlton, Unfortunately the patch only applies to CF 8.0, 8.0.1 and 9. ColdFusion 7 has now reached end of core support:
http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63
Also, Tom is correct, there is Bronze (Single Incide -
This technote and the attachments have been updated on 05/21/2010
"Vulnerability CVE-2010-1294, included in this security fix, now prevents unauthorized access to datasources via the Service Factory. This may have caused issues with certain frameworks/applications that were accessing datasources without proper authentication. The fix has been updated to correct these issues by allowing unauthenticated access to only the datasource connection. Details of the datasource are only allowed with authenticated access." -
@Ben, any follow up to this patch? Sounds like a good one to implement, but not with the datasource issues that many of us hit. I know the tech team was working on it, but wondering if you’ve got a progress report.
Leave a Reply