Tuesday, December 11, 2012

Security HotFix for ColdFusion 9 and above- December 2012

A priority 2 update addressing an important vulnerability in ColdFusion 9 and above is released today. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin

This hot fix resolves a vulnerability which could result in a sandbox permissions violation in a shared hosting environment 
- CVE-2012-5676. As a result to this fix named application scope will not be available in servlet context. This might affect applications using JSP interoperability. 


In case you want to revert to old behavior you can add JVM flag                                                             -Dcoldfusion.allowappdatainservletcontext=true

For ColdFusion 10, use updater to get this update. This is update 6 and it contains previous updates for  ColdFusion 10.
The details can be found at tech-note here.

6 comments:

  1. Hello Shilipi

    I've just tried to apply this hotfix to my CF9.0.1 installation on Windows 7/Java6U37 with the previous APSB12-21 HF already applied and when I restarted CF and tried to run an application I get the following error:

    "Could not access a java object field called allowAppDataInServContext."

    Is this expected?

    Thanks.

    ReplyDelete
  2. Hi Julian,

    Can you please confirm if old hf jars are deleted?

    Regards,
    Shilpi

    ReplyDelete
  3. Hi Shilpi

    I followed these instructions on the Technote page:

    "1) Download CF901.zip and extract hf901-00007.jar file.
    2) In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
    3) In the update file text box, browse and select hf901-00007.jar and click Submit Changes.
    4) Restart the ColdFusion instance.
    5) If there are multiple instances, repeat steps 2 through 4 for each instance."

    It doesn't say anything about deleting old HF files so yes the previous hf901-00006.jar was still there.

    I've deleted it now and everything works fine.

    Could you include that step in the instructions?

    Many thanks for your help.

    Julian

    ReplyDelete
  4. Hi Julian,

    Sure i will get it checked and updated.

    Regards,
    Shilpi

    ReplyDelete
  5. after applying CF hot fix 4 for CF9.0.1 we are not able to open CF admin site or any CF sites

    ReplyDelete
  6. Hi,

    Are you still getting this error?

    Shilpi

    ReplyDelete

You can subscribe to the comments by licking on "Subscribe by email".