ColdFusion Security hot fix APSB13-13

Issue

ColdFusion 10, ColdFusion 9.0.2, ColdFusion 9.0.1, and ColdFusion 9.0 are affected with the vulnerabilities mentioned in the security bulletin APSB13-13. This article provides fixes for the security issues mentioned in the bulletin, along with the installation instructions.

Solution

Notes

  1. Adobe strongly recommends blocking external access to the ColdFusion Administrator (/CFIDE/administrator) and Admin API (/CFIDE/adminapi). See the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide for more details.
  2. See important security hotfix-related notes published in previous security hot fixes here.

ColdFusion 10

In ColdFusion 10, use the hot fix installer to apply this update (ColdFusion 10 Update 10). The ColdFusion 10 Update 10 is a cumulative update. That is, it includes all the bug fixes from the previous updates of ColdFusion 10.

Important note:

If you have not applied the ColdFusion 10 Mandatory Update, then apply it first before applying this update. This step is not required if ColdFusion 10 build number is greater than 282462.

ColdFusion 9

If you have applied the previous security hot fix APSB13-10, see Section 1. If you have not applied the previous security hot fix APSB13-10, see Section 2.

Follow the instructions that apply to your version of ColdFusion. Do not apply these fixes to any beta or prerelease version of ColdFusion.

Definition for ColdFusion-Home:

In the following deployment options, {ColdFusion-Home} indicates the following:

  • For Server installation: {ColdFusion-Home}
  • For Multiserver installation:{JRun-Home}/servers/{YourServer}/cfusion-ear/cfusion-war/
  • For J2EE installation: {cfusion-ear-Home}/cfusion-war/

Note

  1. Hot fix files contain some of the previous security hot fixes.
  2. In ColdFusion 9.0.x, do not remove any jar files that begin with chf from {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory.
  3. CFIDE-902.zip, CFIDE-901.zip, CFIDE-9.zip, and WEB-INF.zip included in the hot fixes contain only part of the CFIDE and WEB-INF files. Do not rename present CFIDE and WEB-INF directories.
  4. Bugs 3544895 and 3540876 reported in the previous security hot fix (APSB13-10) for ColdFusion 9.0.1 have been fixed in this hot fix.

Section 1

Use the following instructions if you have previously applied security hot fix APSB13-10.

ColdFusion 9.0.2

  1. Download CF902.zip and CFIDE-902.zip. Extract both zip files.
  2. In ColdFusion Administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the "Update File" text box, browse and select hf902-00005.jar located under CF902/lib/updates.
  4. Click Submit Changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf902-00001.jar, hf902-00002.jar, hf902-00003.jarhf902-00004.jar exist, move them to a backup location. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and take a backup of CFIDE folder.
  8. Extract all the files in CFIDE-902.zip to merge in the web root directory that has {CFIDE-HOME} folder.
  9. Start the ColdFusion Instance.
  10. If there are multiple instances, repeat steps 2 through 9 for each instance.

ColdFusion 9.0.1

  1. Download CF901.zip and CFIDE-901.zip. Extract both zip files.
  2. In ColdFusion Administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the "Update File" text box, browse and select hf901-00010.jar located under CF901/lib/updates.
  4. Click Submit Changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf901-00001.jar, hf901-00002.jar, hf901-00003.jar, hf901-00004.jar, hf901-00005.jar, hf901-00006.jar, hf901-00007.jar, hf901-00008.jar, hf901-00009.jar exist, move them to a backup location. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and take a backup of CFIDE folder.
  8. Extract all the files in CFIDE-901.zip to merge in the web root directory that has {CFIDE-HOME} folder.
  9. Start the ColdFusion Instance.
  10. If there are multiple instances, repeat steps 2 through 9 for each instance.

ColdFusion 9.0

  1. Download CF9.zip and CFIDE-9.zip. Extract both zip files.
  2. In ColdFusion Administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the "Update File" text box, browse and select hf900-00011.jar located under CF9/lib/updates.
  4. Click Submit Changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf900-00001.jar, hf900-00002.jar, hf900-00003.jar, hf900-00004.jar, or hf900-00005.jar, hf900-00006.jar, hf900-00007.jar, hf900-00008.jar, hf900-00009.jarhf900-00010.jar exist, move them to a backup location. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and take a backup of CFIDE folder.
  8. Extract all the files in CFIDE-9.zip to merge in the web root directory that has {CFIDE-HOME} folder.
  9. Start the ColdFusion Instance.
  10. If there are multiple instances, repeat steps 2 through 9 for each instance.

Section 2

Use these instructions if you have not applied security hot fix APSB13-10.

ColdFusion 9.0.2

  1. Download CF902.zip and CFIDE-902.zip. Extract both zip files.
  2. In ColdFusion Administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the "Update File" text box, browse and select hf902-00005.jar located under CF902/lib/updates.
  4. Click Submit Changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf902-00001.jar, hf902-00002.jar, hf902-00003.jarhf902-00004.jar exist, move them to a backup location. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and take a backup of CFIDE directory.
  8. Extract all the files in CFIDE-902.zip to merge in the web root directory that has {CFIDE-HOME} directory.
  9. Start the ColdFusion Instance.
  10. If there are multiple instances, repeat steps 2 through 9 for each instance.

ColdFusion 9.0.1

  1. Download CF901.zip and CFIDE-901.zip. Extract both zip files.
  2. In ColdFusion Administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the "Update File" text box, browse and select hf901-00010.jar located under CF901/lib/updates.
  4. Click Submit Changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf901-00001.jar, hf901-00002.jar, hf901-00003.jar, hf901-00004.jar, hf901-00005.jar, hf901-00006.jar, hf901-00007.jar, hf901-00008.jarhf901-00009.jar exist, move them to a backup location. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and take a backup of CFIDE directory.
  8. Extract all the files in CFIDE-901.zip to merge in the web root directory that has {CFIDE-HOME} directory.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and take a backup of WEB-INF directory.
  10. Go to CF901 directory. Extract all the files in WEB-INF.zip to merge in {ColdFusion-Home}/wwwroot (for Server installation) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE installations). Make a backup of given files, if they exist log4j.propertiesvalidation.properties, ESAPI.properties, flex-messaging-common.jar, flex-messaging-core.jar, commons-fileupload-1.2.jar, esapi-2.0_rc10.jar.
  12. Go to CF901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE installations).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion 9.0

  1. Download CF9.zip and CFIDE-9.zip. Extract both zip files.
  2. In ColdFusion Administrator, select System Information page by clicking the icon "i" in the upper-right corner.
  3. In the "Update File" text box, browse and select hf900-00011.jar located under CF9/lib/updates.
  4. Click Submit Changes.
  5. Stop the ColdFusion instance.
  6. Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf900-00001.jar, hf900-00002.jar, hf900-00003.jar, hf900-00004.jar, hf900-00005.jar, hf900-00006.jar, hf900-00007.jar, hf900-00008.jar, hf900-00009.jar, hf900-00010.jar exist, move them to a backup location. Otherwise, ignore this step.
  7. Go to {CFIDE-HOME} and take a backup of CFIDE directory.
  8. Extract all the files in CFIDE-9.zip to merge in the web root directory that has {CFIDE-HOME} directory.
  9. Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and take a backup of WEB-INF directory.
  10. Go to CF9 directory. Extract all the files in WEB-INF.zip to merge in {ColdFusion-Home}/wwwroot (for Server installation) and {ColdFusion-Home} (for MultiServer and J2EE installations) directory.
  11. Go to your {ColdFusion-Home}/lib (for Server installation) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE installations). Make a backup of given files, if exist log4j.properties, validation.properties, ESAPI.properties, flex-messaging-common.jar, flex-messaging-core.jar, commons-fileupload-1.2.jar, esapi-2.0_rc10.jar.
  12. Go to CF9/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) and {ColdFusion-Home}/WEB-INF/cfusion/lib (for MultiServer and J2EE installations).
  13. Start the ColdFusion Instance.
  14. If there are multiple instances, repeat steps 2 through 13 for each instance.

ColdFusion integrated/Installed with LCDS

Follow the instructions in the security bulletin APSB11-15 to apply the fix.

Upgrading after installing the hot fix

If you have installed the hot fix for ColdFusion 9, and upgraded to ColdFusion 9.0.1, then apply the security hot fix for the update.

Note:

For previous ColdFusion security hot fixes, see the Security bulletins and advisories page.

Revision:

May 15, 2013: Added note #4 to the ColdFusion 9 section.

July 25, 2013: Bug #3574419 reported in this security hot fix has been addressed. This issue impacts only enterprise-manager functionality in ColdFusion administrator. Only ColdFusion 9 and ColdFusion 9.0.1 are affected with this bug, For more details refer bug 3574419.

To apply the fix for this issue, download the zip file according to the version of ColdFusion.

  1. Download CFIDE-9.zip and CFIDE-901.zip.
  2. Go to {CFIDE-HOME} and take a backup of CFIDE directory.
  3. Extract all the files to merge in the web root directory that has {CFIDE-HOME} directory.
  4. If there are multiple instances, repeat steps 2 and 3 for each instance.

 Adobe

Get help faster and easier

New user?