ColdFusion Security Hotfix Released

I just installed security update APSB10-11 my local machine and now whenever I try to access any of my datasources I get this error: "Datasource ExceptionLog could not be found." where ExceptionLog is the datasource name. I am running Windows 7 64 bit with Coldfusion 8.0.1 64bit Developer Edition with Cumulative Hotfix 4, all hot fixes not in CHF4, and all security patches. Removing security update APSB10-11 fixed the problem

I just installed security update APSB10-11 my local machine and now whenever I try to access any of my datasources I get this error: "Datasource ExceptionLog could not be found." where ExceptionLog is the datasource name. I am running Windows 7 64 bit with Coldfusion 8.0.1 64 bit Developer Edition with Cumulative Hotfix 4, all hot fixes not in CHF4, and all security patches. Removing security update APSB10-11 fixed the problem

Looks like there is an issue with CF8.0.1 64-bit with Hotfix 4 applied, where it doesn't like the filename convention of the security update. Only CF8.0.1 64-bit with Hotfix 4 is impacted, so if you're using that version don't apply the update yet. --- Ben

Looks like the engineering team has figure out the issue. Details on their way ... --- Ben

I have received the same issue, after removing the hotfix the issue was resolved, I re-applied the hotfix and received the same error. On with Adobe now to create a support incident.

Thanks, Alison ... having the same trouble here. Luckily installed it first on my dev machine and not one of the servers. 8.0.1 on Windows XP, 32-bit, but same issue on every datasource. The DSNs validate fine in CF Admin, but apps can't find them.

Someone at Adobe is looking into this now. Will keep you all posted on the results.

We just tried applying the 8.01 HF on 2 different dev machines and after restarting CF could no longer connect to any datasources using <cfquery>. MySQL connections gave the error message "Datasource X could not be found", for SQL Server it was "coldfusion.sql.Executive.getDatasource1(Ljava/lang/String;)Ljavax/sql/DataSource;" Verifying the datasources in the CF Administrator worked ok, though.

Same issue on 64 bit Linux. Rolled back and all good. Will stay tuned for an update.

Yes, and I can confirm the same on my development box, still running XP, 32-bit.

When I applied the hotfix, it didn't break anything, but in the system information, the update level is still showing the previous one that was installed.

I'll pass that long, stay tuned ... --- Ben

Ben, our 2 dev machines are 32-bit Windows 7. Definitely not 64 bit only.

Can somone confirm if this security patch applies to 7.0.2? I contacted adobe phone support and they forward me to forums.adobe.com and stated there is no phone support for server products.

@Jason, I had already tried that option and I get the same error.

@Becky, you don't have to reinstall CF8! Just go into C:ColdFusion8libupdates and remove the file 'shf8010001.jar'. Then stop / start the CF Application Service and you should be back to your previous update.

I have tried the latest hotfix update and I still get the following error. unexpected constant #353 96 I can't even get the Administrator login page. I have tried to roll back and then I get this error unexpected constant #55 0 Anyone have any ideas about what may be going on here? I would really hate to have to re-install CF 8, to bad we don't have CF9 bought yet I would just install it!

Chris, I agree completely! This was a screw-up, and the team is going to have to figure out how the heck it happened, and how to ensure that it does not happen again. --- Ben

Ahem, rather disappointing Adobe released a security hotfix without having tested it on their own most recent cumulative hotfix. I expect more rigorous QA.

Given the problems with the fix, I want to wait a bit. The second and third vulnerability do not seem that critical, at least for my installations, how serious is the first one? Realistically.

Issue resolved - it was isolated to CF8.0.1 with hotfix 4 (32 and 64 bit). Please review the updated technote http://kb2.adobe.com/cps/841/cpsid_84102.html

Issue resolved - it was isolated to CF8.0.1 with hotfix 4 (32 and 64 bit). Please review the updated technote http://kb2.adobe.com/cps/841/cpsid_84102.html

The reported update level never changing is a known issue, check the update file is listed in the set of jar's as the only real way to know.

Just wanted to chime in that our Win2003 Server which is 32-bit is also experiencing this epic failure as well... CFMX 8.0.1 Rollup-4 running on 32bit windows and Java 1.6.0_20.

@Carlton, Unfortunately the patch only applies to CF 8.0, 8.0.1 and 9. ColdFusion 7 has now reached end of core support: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63 Also, Tom is correct, there is Bronze (Single Incide

I too had to roll back this morning. Most things worked, but I discovered today that our install of the CommonSpot demo site (version 6.0) was broken. Line 51 of database.cfm was failing: dsn = dsservice.getDataSource(arguments.dsname);

Even the updated patch is still causing issues for me: CF9 Enterprise on Windows Server 2008 64-bit. Most things work, but the transfer framework will not initiate. It bombs when coldspring tries to create the transferFactory: Bean creation exception during init() of transfer.TransferFactory : <br>The error occurred on line 817. Aargh! Had to remove the jar file to have my site running smoothly again.

"no phone support for server products" is a lie, I've had several myself with Adobe support over ColdFusion. Try again, it's 'well known' to be hard to explain you are not calling about a desktop system :-)

This technote and the attachments have been updated on 05/21/2010 "Vulnerability CVE-2010-1294, included in this security fix, now prevents unauthorized access to datasources via the Service Factory. This may have caused issues with certain frameworks/applications that were accessing datasources without proper authentication. The fix has been updated to correct these issues by allowing unauthenticated access to only the datasource connection. Details of the datasource are only allowed with authenticated access."

@Ben, any follow up to this patch? Sounds like a good one to implement, but not with the datasource issues that many of us hit. I know the tech team was working on it, but wondering if you've got a progress report.