Tuesday, December 11, 2012

Security HotFix for ColdFusion 9 and above- December 2012

A priority 2 update addressing an important vulnerability in ColdFusion 9 and above is released today. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin

This hot fix resolves a vulnerability which could result in a sandbox permissions violation in a shared hosting environment 
- CVE-2012-5676. As a result to this fix named application scope will not be available in servlet context. This might affect applications using JSP interoperability. 

In case you want to revert to old behavior you can add JVM flag                                                             -Dcoldfusion.allowappdatainservletcontext=true

For ColdFusion 10, use updater to get this update. This is update 6 and it contains previous updates for  ColdFusion 10.
The details can be found at tech-note here.