AdobeStock_455007340

ColdFusion Security Hotfix Released

A security hotfix has just been released for ColdFusion 8 and 9. This hotfix addresses a potential cross site scripting vulnerability.

30 responses to “ColdFusion Security Hotfix Released”

  1. Marc Avatar
    Marc

    I just installed security update APSB10-11 my local machine and now whenever I try to access any of my datasources I get this error:
    "Datasource ExceptionLog could not be found."
    where ExceptionLog is the datasource name.
    I am running Windows 7 64 bit with Coldfusion 8.0.1 64 bit Developer Edition with Cumulative Hotfix 4, all hot fixes not in CHF4, and all security patches.
    Removing security update APSB10-11 fixed the problem

  2. Marc Avatar
    Marc

    I just installed security update APSB10-11 my local machine and now whenever I try to access any of my datasources I get this error:
    "Datasource ExceptionLog could not be found."
    where ExceptionLog is the datasource name.
    I am running Windows 7 64 bit with Coldfusion 8.0.1 64bit Developer Edition with Cumulative Hotfix 4, all hot fixes not in CHF4, and all security patches.
    Removing security update APSB10-11 fixed the problem

  3. Julian Halliwell Avatar
    Julian Halliwell

    Ben, our 2 dev machines are 32-bit Windows 7. Definitely not 64 bit only.

  4. Ben Forta Avatar
    Ben Forta

    I’ll pass that long, stay tuned …
    — Ben

  5. tim Avatar
    tim

    When I applied the hotfix, it didn’t break anything, but in the system information, the update level is still showing the previous one that was installed.

  6. Jason Fisher Avatar
    Jason Fisher

    Yes, and I can confirm the same on my development box, still running XP, 32-bit.

  7. Anthony Avatar
    Anthony

    Same issue on 64 bit Linux. Rolled back and all good. Will stay tuned for an update.

  8. Julian Halliwell Avatar
    Julian Halliwell

    We just tried applying the 8.01 HF on 2 different dev machines and after restarting CF could no longer connect to any datasources using <cfquery>. MySQL connections gave the error message "Datasource X could not be found", for SQL Server it was "coldfusion.sql.Executive.getDatasource1(Ljava/lang/String;)Ljavax/sql/DataSource;"
    Verifying the datasources in the CF Administrator worked ok, though.

  9. Alison H Avatar
    Alison H

    Someone at Adobe is looking into this now. Will keep you all posted on the results.

  10. Jason Fisher Avatar
    Jason Fisher

    Thanks, Alison … having the same trouble here. Luckily installed it first on my dev machine and not one of the servers. 8.0.1 on Windows XP, 32-bit, but same issue on every datasource. The DSNs validate fine in CF Admin, but apps can’t find them.

  11. William Attwood Avatar
    William Attwood

    I have received the same issue, after removing the hotfix the issue was resolved, I re-applied the hotfix and received the same error.
    On with Adobe now to create a support incident.

  12. Ben Forta Avatar
    Ben Forta

    Looks like the engineering team has figure out the issue. Details on their way …
    — Ben

  13. Ben Forta Avatar
    Ben Forta

    Looks like there is an issue with CF8.0.1 64-bit with Hotfix 4 applied, where it doesn’t like the filename convention of the security update. Only CF8.0.1 64-bit with Hotfix 4 is impacted, so if you’re using that version don’t apply the update yet.
    — Ben

  14. brentil Avatar
    brentil

    Just wanted to chime in that our Win2003 Server which is 32-bit is also experiencing this epic failure as well…
    CFMX 8.0.1 Rollup-4 running on 32bit windows and Java 1.6.0_20.

  15. Tom Chiverton Avatar
    Tom Chiverton

    The reported update level never changing is a known issue, check the update file is listed in the set of jar’s as the only real way to know.

  16. Alison H Avatar
    Alison H

    Issue resolved – it was isolated to CF8.0.1 with hotfix 4 (32 and 64 bit). Please review the updated technote
    http://kb2.adobe.com/cps/841/cpsid_84102.html

  17. Alison H Avatar
    Alison H

    Issue resolved – it was isolated to CF8.0.1 with hotfix 4 (32 and 64 bit). Please review the updated technote
    http://kb2.adobe.com/cps/841/cpsid_84102.html

  18. Michael Kane Avatar
    Michael Kane

    Given the problems with the fix, I want to wait a bit. The second and third vulnerability do not seem that critical, at least for my installations, how serious is the first one? Realistically.

  19. Chris Avatar
    Chris

    Ahem, rather disappointing Adobe released a security hotfix without having tested it on their own most recent cumulative hotfix. I expect more rigorous QA.

  20. Ben Forta Avatar
    Ben Forta

    Chris, I agree completely! This was a screw-up, and the team is going to have to figure out how the heck it happened, and how to ensure that it does not happen again.
    — Ben

  21. Becky Avatar
    Becky

    I have tried the latest hotfix update and I still get the following error. unexpected constant #353 96
    I can’t even get the Administrator login page. I have tried to roll back and then I get this error unexpected constant #55 0
    Anyone have any ideas about what may be going on here? I would really hate to have to re-install CF 8, to bad we don’t have CF9 bought yet I would just install it!

  22. Jason Fisher Avatar
    Jason Fisher

    @Becky, you don’t have to reinstall CF8! Just go into C:ColdFusion8libupdates and remove the file ‘shf8010001.jar’. Then stop / start the CF Application Service and you should be back to your previous update.

  23. Becky Avatar
    Becky

    @Jason, I had already tried that option and I get the same error.

  24. Carlton B Ramsey Avatar
    Carlton B Ramsey

    Can somone confirm if this security patch applies to 7.0.2? I contacted adobe phone support and they forward me to forums.adobe.com and stated there is no phone support for server products.

  25. Tom Chiverton Avatar
    Tom Chiverton

    "no phone support for server products" is a lie, I’ve had several myself with Adobe support over ColdFusion.
    Try again, it’s ‘well known’ to be hard to explain you are not calling about a desktop system 🙂

  26. Mark Mazelin Avatar
    Mark Mazelin

    Even the updated patch is still causing issues for me: CF9 Enterprise on Windows Server 2008 64-bit. Most things work, but the transfer framework will not initiate. It bombs when coldspring tries to create the transferFactory:
    Bean creation exception during init() of transfer.TransferFactory : <br>The error occurred on line 817.
    Aargh! Had to remove the jar file to have my site running smoothly again.

  27. Chris Avatar
    Chris

    I too had to roll back this morning. Most things worked, but I discovered today that our install of the CommonSpot demo site (version 6.0) was broken. Line 51 of database.cfm was failing:
    dsn = dsservice.getDataSource(arguments.dsname);

  28. DC Avatar
    DC

    @Carlton, Unfortunately the patch only applies to CF 8.0, 8.0.1 and 9. ColdFusion 7 has now reached end of core support:
    http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63
    Also, Tom is correct, there is Bronze (Single Incide

  29. Marc Avatar
    Marc

    This technote and the attachments have been updated on 05/21/2010
    "Vulnerability CVE-2010-1294, included in this security fix, now prevents unauthorized access to datasources via the Service Factory. This may have caused issues with certain frameworks/applications that were accessing datasources without proper authentication. The fix has been updated to correct these issues by allowing unauthenticated access to only the datasource connection. Details of the datasource are only allowed with authenticated access."

  30. Jason Fisher Avatar
    Jason Fisher

    @Ben, any follow up to this patch? Sounds like a good one to implement, but not with the datasource issues that many of us hit. I know the tech team was working on it, but wondering if you’ve got a progress report.

Leave a Reply