A priority 2 update addressing an important vulnerability in ColdFusion 9 and above is released today. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin.
This hot fix resolves a vulnerability which could result in a sandbox permissions violation in a shared hosting environment - CVE-2012-5676. As a result to this fix named application scope will not be available in servlet context. This might affect applications using JSP interoperability.
In case you want to revert to old behavior you can add JVM flag -Dcoldfusion.allowappdatainservletcontext=true
For ColdFusion 10, use updater to get this update. This is update 6 and it contains previous updates for ColdFusion 10.
The details can be found at tech-note here.
This hot fix resolves a vulnerability which could result in a sandbox permissions violation in a shared hosting environment - CVE-2012-5676. As a result to this fix named application scope will not be available in servlet context. This might affect applications using JSP interoperability.
In case you want to revert to old behavior you can add JVM flag -Dcoldfusion.allowappdatainservletcontext=true
For ColdFusion 10, use updater to get this update. This is update 6 and it contains previous updates for ColdFusion 10.
The details can be found at tech-note here.
Hello Shilipi
ReplyDeleteI've just tried to apply this hotfix to my CF9.0.1 installation on Windows 7/Java6U37 with the previous APSB12-21 HF already applied and when I restarted CF and tried to run an application I get the following error:
"Could not access a java object field called allowAppDataInServContext."
Is this expected?
Thanks.
Hi Julian,
ReplyDeleteCan you please confirm if old hf jars are deleted?
Regards,
Shilpi
Hi Shilpi
ReplyDeleteI followed these instructions on the Technote page:
"1) Download CF901.zip and extract hf901-00007.jar file.
2) In ColdFusion administrator, select System Information page by clicking the icon "i" in the upper-right corner.
3) In the update file text box, browse and select hf901-00007.jar and click Submit Changes.
4) Restart the ColdFusion instance.
5) If there are multiple instances, repeat steps 2 through 4 for each instance."
It doesn't say anything about deleting old HF files so yes the previous hf901-00006.jar was still there.
I've deleted it now and everything works fine.
Could you include that step in the instructions?
Many thanks for your help.
Julian
Hi Julian,
ReplyDeleteSure i will get it checked and updated.
Regards,
Shilpi
after applying CF hot fix 4 for CF9.0.1 we are not able to open CF admin site or any CF sites
ReplyDeleteHi,
ReplyDeleteAre you still getting this error?
Shilpi