ColdFusion Security Hotfix Posted

10 responses to “ColdFusion Security Hotfix Posted”

  1. Josh Avatar

    I really hope that the update process is simplified in CF10. All these security updates are really cumbersome…

  2. Bjorn Avatar

    The joy of installing Coldfusion updates…
    1. Download and Extract All the files are extracted to cf901 directory.
    2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
    3. In the Update File textbox, browse and select hf901-00002.jar located under CF901/lib/updates directory.
    4. Click Submit Changes.
    5. Stop ColdFusion instance.
    6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory and if hf901-00001.jar exists, delete it. Else, ignore this step.
    7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
    8. Extract all files in to the web root directory that has {CFIDE-HOME} folder.
    9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
    10. Go to cf901 directory and extract all the files in to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
    11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory and make a backup of these files if present commons-fileupload-1.2.jar,, esapi-2.0_rc10.jar,,, flex-messaging-common.jar and flex-messaging-core.jar files.
    12. Go to cf901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver and J2EE installations) directory.
    13. Start ColdFusion instance.
    14. If there are multiple instances, repeat steps 2 through13 for each of the instances.

  3. Misty Avatar

    Hi, How can I get the details what things and vunrelabilities have been identified and fixed!

  4. Jura Khrapunov Avatar
    Jura Khrapunov

    After applying hotfix according to instructions server started crashing with different Java errors from "java.lang.IllegalStateException" to "java.lang.NoSuchMethodError: coldfusion.runtime.Cast._double(J)D" on dateDiff() function in some scripts… Weird

  5. Marco Avatar

    crashing on my server too.
    at jrun.servlet.JRunRequestDispatcher.invoke(
    at jrun.servlet.ServletEngineService.dispatch(
    at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(
    at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(
    at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(
    at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(

  6. Jorge Asch Avatar
    Jorge Asch

    It’s too bad they don’t test these before getting them out. The server keeps restarting, since Database exceptions crash.. (they are not shown).
    They return error "Could not find the included template udf.cfm" on WEB-INFexceptiondetails.cfm
    Of course, there’s no UDF.CFM on the directory. (UDF.CFM is on CFIDE directory)

  7. Dan Avatar

    I gave up updating CF after the first update killed all the datasources because evidently it didn’t play well with SeeFusion. I never even heard if they fixed that. I was just glad I tried it on a DEV box first.

  8. John Piotrowski Avatar
    John Piotrowski

    I submitted a bug at with the Id of 86949. Vote for it if you are also having a problem.

  9. Joe Clarck Avatar
    Joe Clarck

    After installing the hotfix, I could not get in to the CF Admin. It’s really bad and wasted my time. It says, "Server Error. The server encountered an internal error and was unable to complete your request. Application server is busy. Either there are too many concurrent requests or the server still is starting up.

  10. John Piotrowski Avatar
    John Piotrowski

    So i found my mistake. When applying the hotfix the directions say to remove hf901-00001.jar from the updates folder. I was deleting chf9010001.jar (the cumulative hotfix) by mistake. I restored this file and things seem to running much better now.

Leave a Reply