Title says it all, see the security bulletin.
ColdFusion Security Hotfix Released
12 responses to “ColdFusion Security Hotfix Released”
-
Anybody else getting this error on the cfwindow tag and some cf admin operations after applying this hotfix?
Could not initialize class coldfusion.security.ESAPIUtils -
Warning! As discussed on Ray’s blog, there is a serious problem with this hotfix: You cannot have more than one cfapplication per domain anymore! http://www.coldfusionjedi.com/index.cfm/2011/2/8/Security-Bulletin-for-ColdFusion#comments
-
We’ve reluctantly had to roll back this hotfix as it’s caused too many problems. Details on Shilpi’s blog: http://shilpikm.blogspot.com/2011/02/security-hot-fix-update-for-coldfusion.html#c4538633275255885015
-
It’s a little scary. We tried to upgrade to the first CF9 patch when it rolled out and it didn’t play nicely with SeeFusion and killed all of our datasources. There doesn’t seem to be much testing of the hotfixes or patches. I am afraid to do anything to our CF9 boxes now.
-
Hi Ben,
Just fyi.. I just realized this Hotfix isn’t mentioned on CF’s home page. (www.coldfusion.com)
The previous one (August 10, 2010) is, but the "News" section hasn’t been updated to list the current one (February 8, 2011).
Thanks,
-Aaron Neff -
Hi Ben,
Sry, not sure who best to contact, but here’s another one:
The Cumulative Hotfix 1 (CHF1) for ColdFusion 9.0.1 page (at bottom) says: Products affected ColdFusion 9.0
URL: http://kb2.adobe.com/cps/862/cpsid_86263.html
It should probably say 9.0.1
Thanks,
-Aaron -
I am recieving the "Class not found: coldfusion.security.ESAPIUtils" error as well
-
Yeah we had to roll it back. So now everybody knows about the exploit but we have no way of patching it without breaking something else 🙁
-
Happy to report we’ve identified the problem and the Hotfix is now working for us. In a nutshell: CF will no longer use existing CFID/CFTOKEN cookies when creating new sessions.
I’ve written up the problem and solution at http://cfsimplicity.com/4/coldfusion-security-hotfix-changes-session-behaviour -
If you ‘re getting the "ClassNotFoundException: coldfusion.security.ESAPIUtils" error, it’s because you pulled the same boneheaded move that I did, and tried to apply the CHF to 9.0, when you first need to update to 9.0.1
-
@Shannon: I am getting that error, but don’t think it is because we are boneheads. The hotfix does say cumulative… obviously not.
Thanks for the post, I would have banged my head against that wall for more than necessary 😉 -
I’m getting this same error, and this is the stacktrace:
Object Instantiation Exception.
Class not found: coldfusion.security.ESAPIUtils
The error occurred in C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 69
Called from C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 4
Called from C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 1
Called from C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 69
Called from C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 4
Called from C:workColdFusioncf9_u1_final_hotfixcfusionwwwrootCFIDEadministratorApplication.cfm: line 1
-1 : Unable to display error’s location in a CFML template.
Note, I’m on a Mac and (obviously) I don’t have a C: drive. Does this patch have hard coded values in it for the dev who authored it? WTF?
Leave a Reply