AdobeStock_455007340

ColdFusion Security Hotfix Released

Home » ColdFusion Security Hotfix Released

12 responses to “ColdFusion Security Hotfix Released”

  1. Hedge Avatar
    Hedge

    Anybody else getting this error on the cfwindow tag and some cf admin operations after applying this hotfix?
    Could not initialize class coldfusion.security.ESAPIUtils

  2. Nigauw Avatar
    Nigauw

    Warning! As discussed on Ray’s blog, there is a serious problem with this hotfix: You cannot have more than one cfapplication per domain anymore! http://www.coldfusionjedi.com/index.cfm/2011/2/8/Security-Bulletin-for-ColdFusion#comments

  3. Julian Halliwell Avatar
    Julian Halliwell

    We’ve reluctantly had to roll back this hotfix as it’s caused too many problems. Details on Shilpi’s blog: http://shilpikm.blogspot.com/2011/02/security-hot-fix-update-for-coldfusion.html#c4538633275255885015

  4. Dan Avatar
    Dan

    It’s a little scary. We tried to upgrade to the first CF9 patch when it rolled out and it didn’t play nicely with SeeFusion and killed all of our datasources. There doesn’t seem to be much testing of the hotfixes or patches. I am afraid to do anything to our CF9 boxes now.

  5. Aaron Neff Avatar
    Aaron Neff

    Hi Ben,
    Just fyi.. I just realized this Hotfix isn’t mentioned on CF’s home page. (www.coldfusion.com)
    The previous one (August 10, 2010) is, but the "News" section hasn’t been updated to list the current one (February 8, 2011).
    Thanks,
    -Aaron Neff

  6. Aaron Neff Avatar
    Aaron Neff

    Hi Ben,
    Sry, not sure who best to contact, but here’s another one:
    The Cumulative Hotfix 1 (CHF1) for ColdFusion 9.0.1 page (at bottom) says: Products affected ColdFusion 9.0
    URL: http://kb2.adobe.com/cps/862/cpsid_86263.html
    It should probably say 9.0.1
    Thanks,
    -Aaron

  7. Mark Pekel Avatar
    Mark Pekel

    I am recieving the "Class not found: coldfusion.security.ESAPIUtils" error as well

  8. Hedge Avatar
    Hedge

    Yeah we had to roll it back. So now everybody knows about the exploit but we have no way of patching it without breaking something else 🙁

  9. Julian Halliwell Avatar
    Julian Halliwell

    Happy to report we’ve identified the problem and the Hotfix is now working for us. In a nutshell: CF will no longer use existing CFID/CFTOKEN cookies when creating new sessions.
    I’ve written up the problem and solution at http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour

  10. Shannon Hicks Avatar
    Shannon Hicks

    If you ‘re getting the "ClassNotFoundException: coldfusion.security.ESAPIUtils" error, it’s because you pulled the same boneheaded move that I did, and tried to apply the CHF to 9.0, when you first need to update to 9.0.1

  11. Andrew Bauer Avatar
    Andrew Bauer

    @Shannon: I am getting that error, but don’t think it is because we are boneheads. The hotfix does say cumulative… obviously not.
    Thanks for the post, I would have banged my head against that wall for more than necessary 😉

  12. Nolan Dubeau Avatar
    Nolan Dubeau

    I’m getting this same error, and this is the stacktrace:
    Object Instantiation Exception.
    Class not found: coldfusion.security.ESAPIUtils
    The error occurred in C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 69
    Called from C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 4
    Called from C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 1
    Called from C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 69
    Called from C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 4
    Called from C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 1
    -1 : Unable to display error’s location in a CFML template.
    Note, I’m on a Mac and (obviously) I don’t have a C: drive. Does this patch have hard coded values in it for the dev who authored it? WTF?

Leave a Reply