ColdFusion Security Hotfix Posted

The ColdFusion team has just posted a security hotfix to address a potential cross-site scripting vulnerability in ColdFusion 8.x and 9.x (Windows, Macintosh and Unix).

7 responses to “ColdFusion Security Hotfix Posted”

  1. Julian Halliwell Avatar
    Julian Halliwell

    There seems to be a mistake in the instructions at
    Under Section 1 > CF9.0.1 > Step 5 it tells you to go to your CF installation and "If hf901-00001.jar, hf901-00002.jar or hf901-00003.jar exist, delete them".
    However hf901-00003.jar is the new HotFix file that you will have just added. Presumably only 00001 and 00002 should be deleted?

  2. David L. Avatar
    David L.

    @Julian: No, the latest hotfix jar file is "hfxxx-00004.jar".
    I followed the instructions and deleted "hfxxx-00003.jar" and it seems to work correctly.
    (In my case it was CF 8.0.1, though.)

  3. Julian Halliwell Avatar
    Julian Halliwell

    @David L: the file names are different for different versions of CF. For 9.0.1 the file is hf901-00003.jar.
    The instructions have now been corrected anyway.

  4. Peter Tilbrook Avatar
    Peter Tilbrook

    Destroyed our "server_settings.cfm" page in administrator essentially farking crucial settings. Forced to uninstall it. Not impressed.

  5. Mark Budai Avatar
    Mark Budai

    I just recently applied hotfix 2 and have a file named chf9010002.jar. The instructions say I should delete a file named hf901-00002.jar — should I delete the file I have? I’m guessing so, but want to be sure before applying this hotfix on my client’s production server.

  6. Daniel Elmore Avatar
    Daniel Elmore

    One thing that has never been clear:
    Are all hotfixes cumulative? It seems that security "patches" are much different from "hotfixes". Should security patches only be applied on a case by case basis depending upon your server configuration? Should everyone always install any available security patches?

    Daniel Elmore

  7. Shilpi Khariwal Avatar
    Shilpi Khariwal

    Hi Daniel,
    It is "recommended" that a server is always updated with Security patches as and when there is one available. As once the vulnerability is public the server is vulnerable and can be a victim.
    No not all hot-fixes are cumulative. Security patches are different from "hotfixes".
    Security patches are conditional cumulative of previous security patches for the ColdFusion version. Having said that, "Conditional Cumulative" here means that, it might not contain some of previous security patches like "Blaze DS patch". Another example would be, like the December Security patch, is cumulative Security patch, but it "Does not" contain files from "CFIDE/" or "WEB-INF/" as those files were not affected in this patch. (This is done generally to minimize the number of steps required to install a security patch.)
    Hence some one who has already installed previous Security patches, can only take update from December patch. If not one can take the complete Security hot-fix bundle. But the complete bundle will also not have fixes like "Blaze DS" patches etc.
    Hope this helps.
    Security Czar, ColdFusion Server Team

Leave a Reply