We’ve just posted a security hotfix for ColdFusion 8.x and 9.x (for Windows, Macintosh and UNIX).
ColdFusion Security Hotfix Posted
10 responses to “ColdFusion Security Hotfix Posted”
-
I really hope that the update process is simplified in CF10. All these security updates are really cumbersome…
-
The joy of installing Coldfusion updates…
1. Download CF901.zip and CFIDE-901.zip. Extract CF901.zip. All the files are extracted to cf901 directory.
2. In the ColdFusion Administrator, select System Information page by clicking the "i" icon in the upper-right corner.
3. In the Update File textbox, browse and select hf901-00002.jar located under CF901/lib/updates directory.
4. Click Submit Changes.
5. Stop ColdFusion instance.
6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory and if hf901-00001.jar exists, delete it. Else, ignore this step.
7. Go to {CFIDE-HOME} and make a backup of CFIDE folder.
8. Extract all files in CFIDE-901.zip to the web root directory that has {CFIDE-HOME} folder.
9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
10. Go to cf901 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
11. Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory and make a backup of these files if present commons-fileupload-1.2.jar, ESAPI.properties, esapi-2.0_rc10.jar, log4j.properties, validation.properties, flex-messaging-common.jar and flex-messaging-core.jar files.
12. Go to cf901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver and J2EE installations) directory.
13. Start ColdFusion instance.
14. If there are multiple instances, repeat steps 2 through13 for each of the instances. -
Hi, How can I get the details what things and vunrelabilities have been identified and fixed!
-
After applying hotfix according to instructions server started crashing with different Java errors from "java.lang.IllegalStateException" to "java.lang.NoSuchMethodError: coldfusion.runtime.Cast._double(J)D" on dateDiff() function in some scripts… Weird
-
crashing on my server too.
java.lang.NullPointerException
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:285)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) -
It’s too bad they don’t test these before getting them out. The server keeps restarting, since Database exceptions crash.. (they are not shown).
They return error "Could not find the included template udf.cfm" on WEB-INFexceptiondetails.cfm
Of course, there’s no UDF.CFM on the directory. (UDF.CFM is on CFIDE directory) -
I gave up updating CF after the first update killed all the datasources because evidently it didn’t play well with SeeFusion. I never even heard if they fixed that. I was just glad I tried it on a DEV box first.
-
I submitted a bug at http://cfbugs.adobe.com with the Id of 86949. Vote for it if you are also having a problem.
-
After installing the hotfix, I could not get in to the CF Admin. It’s really bad and wasted my time. It says, "Server Error. The server encountered an internal error and was unable to complete your request. Application server is busy. Either there are too many concurrent requests or the server still is starting up.
-
So i found my mistake. When applying the hotfix the directions say to remove hf901-00001.jar from the updates folder. I was deleting chf9010001.jar (the cumulative hotfix) by mistake. I restored this file and things seem to running much better now.
Leave a Reply