This guide is made public to help ColdFusion administrators with applying the ColdFusion & Jrun hotfixes released by Adobe in the security update for vulnerability APSB09-12. It's purpose is to reduce the time required to update a ColdFusion server and provide a checklist that can be referred to during the updating process. All information compiled for this guide has been sourced from Adobe security bulletins and we provide this in the hope it will be a useful resource but provide no warranty and do not accept any liability for it's use.

Details on the vulnerabilities fixed by these updates and direct links to the Adobe ColdFusion hotfixes and updates for these vulnerabilities are available here.

Download update files from Adobe for your ColdFusion version to your server:

Adobe installation instruction text files (compiled below into 5 steps):

1. CVE-2009-1872 and CVE-2009-1877
2. CVE-2009-1873 and CVE-2009-1874
3. CVE-2009-1875
4. CVE-2009-1876
5. CVE-2009-1878

Apply ColdFusion and JRun updates (using Adobe instruction files):

1. ColdFusion Updates (CVE-2009-1872 and CVE-2009-1877) includes updates for ColdFusion resolves a cross-site scripting vulnerability that could potentially lead to code execution. Steps to deploy this hotfix:

1. Download the CFIDE-<cfversion>.zip.
2. Stop the ColdFusion server.
3. Take a backup of cf_debugFr.cfm in <cfwebroot>\CFIDE\debug\ and _logintowizard.cfm in <cfwebroot>\CFIDE\wizards\common.
4. From the downloaded CFIDE copy cf_debugFr.cfm to <cfwebroot>\CFIDE\debug\ and _logintowizard.cfm to <cfwebroot>\CFIDE\wizards\common.
5. Start the ColdFusion server.

2. JRun update (CVE-2009-1873 and CVE-2009-1874) includes an update for JRun that resolves a management console directory traversal vulnerability that could potentially lead to information disclosure + an update for JRun resolves multiple management console cross-site scripting vulnerabilities that could potentially lead to code execution. Steps to deploy this hotfix:

1. Stop the JRun admin server.
2. Take a back up of the jmc-app.ear in JRun4\servers\admin.
3. Copy the jmc-app.ear in to JRun4\servers\admin.
4. Start the admin server.

3. ColdFusion (CVE-2009-1875) includes an update that resolves multiple cross-site scripting vulnerabilities that could potentially lead to code execution. Steps to apply this hotfix:

1. Download the hot fix CF<cfversion>.zip and unzip it.
2. Open the ColdFusion Administrator and apply the provided hf<cfversion>-1875.jar hot fix using the System Information page.
3. Take a backup of Application.cfm and index.cfm in <cfwebroot>\CFIDE\administrator.
4. Copy the Application.cfm and index.cfm to <cfwebroot>\CFIDE\administrator from CF<cfversion>\CFIDE\administrator.
5. Restart ColdFusion.

4.ColdFusion (CVE-2009-1876) inlcudes an update for ColdFusion that resolves a double-encoded null character vulnerability that could potentially lead to information disclosure. Steps to apply this hotfix (Apache only):

1. Backup the existing {cf_root}runtime\lib\wsconfig.jar to wsconfig.jar.bu.
2. Download the hot fix (wsconfig.jar - 2.9 MB).
3. Stop all ColdFusion servers and Apache webserver.
4. Copy the downloaded wsconfig.jar to {cf_root}runtime\lib .
5. Navigate to the {cf_root}\runtime\lib directory and run the connector upgrade: cd {cf_root}\runtime\lib java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v
6. Make sure the upgrade completed successfully.
7. Inspect {cf_root}\runtime\lib\wsconfig\wsconfig.log for errors
8. java -jar wsconfig.jar -info  The command should return, "Macromedia JRun 4.0 (Build 108785)".
9. Start the ColdFusion servers and apache webserver.

5. ColdFusion (CVE-2009-1878) includes an update for ColdFusion that resolves a session fixation vulnerability that could potentially lead to privilege escalation. Steps to apply this hotfix:

1. Download the hot fix hf<cfversion>-1878.jar.
2. Open the ColdFusion Administrator and apply the provided hot fix using the System Information page.
3. Restart ColdFusion.

Comments

Steggles wrote on 08/20/09 12:05 AM

Thanks guys, I just saw this page on a tweet and had the updates on my to do list so this should make them a little easier to swallow.

Open question to Adobe, could you make a security update any more time consuming to deploy? Theres like 5 seperate text files and 6 files to go through. How about 1 zip file and 1 instruction file.....okay rant over time to update a server.

Justin H wrote on 08/20/09 12:33 AM

Thanks for sharing your checklist.

@steggles hey don't forget that these manual server updates are what keep us server administrators in a job ;).

Calvin Hobbs wrote on 08/20/09 1:19 AM

Part 4: ColdFusion (CVE-2009-1876) I'm having issues with on 64 bit Windows - after going the upgrade to wsconfig and restarting Apache - I get this message:
Syntax error on line 485 of c:/program files..../httpd.cinf - Cannot load c:/jrun4/lib/wsconfig/1/mod_jrun22.so into server: %1 is not a valid Win32 application.

64 Bit Windows running 32 bit apache.

Calvin Hobbs wrote on 08/20/09 1:21 AM

After overwriting the mod_jrun22.so from another server - apache started up OK after that update.

FYI

Phil Duba wrote on 08/20/09 3:08 AM

I'll ask this in regards to CVE-2009-1876, what if I have multiple virtual hosts connection to their own instances/cluster. Do I need to treat it as an installation and copy the mod_jrun22.so file to each of my corresponding folders under <cf_root>/lib/wsconfig (i.e. /1/, /2/, etc.) after executing the upgrade command?

Calvin Hobbs wrote on 08/20/09 4:13 AM

I guess I'd say if your web server doesn't start up - you may have to replace it with a backup - if the file has been changed with the update.

Wolsopx wrote on 08/20/09 4:28 PM

Hi! Thanks for the infos. I installed the hotfixes on several win2003 machines without any problems. Then after applying CVE-2009-1876 (wsconfig.jar) on a win2k server calling cfm files only returns blank pages (no errors in browser, logs, wsconfig.log etc.) - everything seems to be running fine except for the blank pages :/ even cf admin returns a blank page. Any ideas?
Win2k, CF7 (7,0,2,142559), IIS 5.0; System restarted after hotfix updates

Admin wrote on 08/20/09 5:42 PM

@Wolsopx Adobe engineers have now confirmed that CVE-2009-1876 is only applicable to CF with Apache web server. I suggest you try restoring your previous wsconfig.jar.

Wolsopx wrote on 08/20/09 5:45 PM

@admin Thanks! After restoring everythings is back up normal...

Ciaran A wrote on 08/20/09 6:42 PM

It's been mentioned here (http://forta.com/blog/index.cfm/2009/8/17/ColdFusion-And-JRun-Security-Hotfixes-Posted) that CVE-2009-1875 and CVE-2009-1878 are the same. Installing both on my machine results in the update level remaining at hf801-1875.jar, i.e. the second update has no effect.

Also I presume that stand-along CF users (i.e. no JRun) do NOT have to apply JRun update (CVE-2009-1873 and CVE-2009-1874)?

Admin wrote on 08/20/09 8:17 PM

Thanks Ciaran the guide has now been updated to include notes for anyone not sure about these issues.

SteveC wrote on 08/21/09 12:47 AM

Clearly the steps for CVE-2009-1876 are 32 bit solaris only.

I am getting this output when I run the code in steps 5:

# java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v
Macromedia JRun 4.0 (Build 108673)
os.name: SunOS
os.version: 5.10
os.arch: sparc
platform: sparc-solaris
web server: Apache
web server directory: /usr/local/apache2/conf
Using Apache binary /usr/local/apache2/bin/httpd
LD_LIBRARY_PATH=/usr/local/apache2/lib:/usr/jdk/instances/jdk1.5.0/jre/lib/sparc/server:/usr/jdk/instances/jdk1.5.0/jre/lib/sparc:/usr/jdk/instances/jdk1.5.0/jre/../lib/sparc
version 2.2.10 (min 43)
Server version: Apache/2.2.10 (Unix)
Extracting resource connectors/apache/sparc-solaris/prebuilt/mod_jrun22.so
file defaulted
last modification date: Thu Mar 13 19:54:02 EDT 2008
size/compressed size: 82216/33777
to /opt/jrun4/lib/wsconfig/1/mod_jrun22.so
Exec'ing chmod +x /opt/jrun4/lib/wsconfig/1/mod_jrun22.so
Set permission to execute on /opt/jrun4/lib/wsconfig/1/mod_jrun22.so
Created file /opt/jrun4/lib/wsconfig/1/mod_jrun22.so
Wrote file /usr/local/apache2/conf/httpd.conf
Using Apache control script /usr/local/apache2/bin/apachectl
Exec'ing /usr/local/apache2/bin/apachectl restart
httpd: Syntax error on line 420 of /usr/local/apache2/conf/httpd.conf: Cannot load /opt/jrun4/lib/wsconfig/1/mod_jrun22.so into server: ld.so.1: httpd: fatal: /opt/jrun4/lib/wsconfig/1/mod_jrun22.so: wrong ELF class: ELFCLASS32
Error running "/usr/local/apache2/bin/apachectl restart": exit code was 1
Error restarting Apache server. The web server must be restarted to complete this operation.
The Apache connector was upgraded in /usr/local/apache2/conf

Is there a switch that I can add to the java command to specify 64 bit? Any help would be appreciated thanks!

Wolsopx wrote on 08/21/09 2:25 PM

To uninstall 'CVE-2009-1876' I just copied back the wsconfig.jar I backed up before applying 'CVE-2009-1876' and run the command 'java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v'. Is this the correct way tu "uninstall"? Do I need to reinstall any hotfix again after this downgrade or didn't this affect any other hotfixes? (CF-Admin says "Update Level: /C:/CFusionMX7/lib/updates/hf702-1875.jar"). Thanks for your help!

Kurt wrote on 08/22/09 5:27 AM

Even php for windows is easier to patch that this. Can they make a self installing exe file? This is ridiculous. I'm not even sure how to find out if an update is already installed or not. Even after I install 1878 it still says I'm at update level 1875... Thanks to this site making these patches slightly easier to deal with.

cfGothChic wrote on 08/23/09 1:54 AM

For multiserver installations, the instructions are not clear. The file downloads as a zip, you need to change the zip extension to ear.

Chris wrote on 08/23/09 8:12 AM

I applied the security updates for CF 8.01 on 3 different servers, all running Windows 2k3. One one of them, everything went great. On the other two, everything seemed to have gone well, but when I go to the CF Admin, I get the error below.

I did restart the CF service after making the changes. I tried to undo my changes (restored backup files) and restart CF, but to no avail.

I even went so far as to restore the entire CFIDE directory from another server running the same version. Same error.

Does anyone have any idea where to even begin? I just want to restore the CF administrator on those servers to a working version.

Thanks for your help!

Here is the error I get when I go to /cfide/administrator/

--------------------------------------

500

ROOT CAUSE:
java.lang.NoSuchMethodError: coldfusion.tagext.GenericTag.doFinally()V
at cfApplication2ecfm1253482620._factor7(E:\cf8_updates\cfusion\wwwroot\CFIDE\administrator\Application.cfm:4)
at cfApplication2ecfm1253482620.runPage(E:\cf8_updates\cfusion\wwwroot\CFIDE\administrator\Application.cfm:1)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:192)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:366)
at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:214)
at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:86)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.CfmServlet.service(CfmServlet.java:175)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
at jrun.servlet.FilterChain.service(FilterChain.java:101)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:284)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

Nick wrote on 08/25/09 7:55 AM

The instructions for for CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 8.0.1 calls for two files to be patched - cf_debugFr.cfm and _logintowizard.cfm. However, the download only contains cf_debugFr.cfm. _logintowizard.cfm does not appear to be included.

Any ideas what the problem is and where to get the missing file for the 8.0.1 patch?

Nick

Admin wrote on 08/25/09 8:56 AM

@Nick the zip for 1872 and 1877 for CF8.0.1 should be CFIDE8.0.1.zip which has the _logintowizard.cfm within the \CFIDE\wizards\common folder.

There was a typo in the CF8.0.1 downlink for this file which has now been updated. Thanks.

Esther wrote on 08/26/09 4:56 AM

I have the same issue as Nick - I am able to access CFIDE8.0.1.zip but it only contains 1 file; it is missing _logintowizard.cfm.

RussT9F wrote on 08/27/09 7:14 AM

Stuck on 1875 and/or 1878.

missing CFIDE/Administrator/setting/allaire/cfide/CFNavigationApplet.class

This is a new (3 month old) installation.

why is the required file missing?

RussT9F wrote on 08/27/09 8:32 AM

Java windows returns this when I try to to browse for the path on the System Information page. Keep in mide this is a relatively new install so this perplexes me.

Java Plug-in 1.6.0_16
Using JRE version 1.6.0_16-b01 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\thompsonra
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------


load: class allaire.cfide.CFNavigationApplet not found.
java.lang.ClassNotFoundException: allaire.cfide.CFNavigationApplet
   at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
   at java.lang.ClassLoader.loadClass(Unknown Source)
   at java.lang.ClassLoader.loadClass(Unknown Source)
   at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
   at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
   at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
   at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: open HTTP connection failed:http://10.2.65.49:8090/CFIDE/administrator/settings/allaire/cfide/CFNavigationApplet.class
   at sun.plugin2.applet.Applet2ClassLoader.getBytes(Unknown Source)
   at sun.plugin2.applet.Applet2ClassLoader.access$000(Unknown Source)
   at sun.plugin2.applet.Applet2ClassLoader$1.run(Unknown Source)
   at java.security.AccessController.doPrivileged(Native Method)
   ... 7 more
Exception: java.lang.ClassNotFoundException: allaire.cfide.CFNavigationApplet

Karra wrote on 09/09/09 3:42 PM

I"m having the same problem Chris did on 8/23. I don't see any responses to him...

Chris, did you get things fixed? How????

Chris wrote on 09/09/09 5:05 PM

@Karra, I'm sorry to say that I never found a solution, so I just (and I mean just now) uninstalled and reinstalled CF8 on both servers that were having issues. I can say that both re-installs went very well and everything is working smoothly now, however without these security updates. I'm afraid to try it again.

To maintain all of my settings, I did the following (on Windows 2003):

1) copy all of the neo-*.xml files out of the /cf_root/lib directory

2) uninstall CF8 through add/remove programs

3) install CF8 (latest download from Adobe)

4) stop all CF services

5) copy all neo-*.xml files from backup location to /cf_root/lib/

6) restart all CF services

One little catch is that all of my Access datasources had to be opened and saved again through the administrator before they would work. SQL Server datasources worked fine without anything extra.

The uninstall/re-install process only took about 15 minutes both times.

I hope you're able to get it working without reinstalling, but if not, maybe this can help.

Chris

Calvin Hobbs wrote on 09/10/09 12:40 AM

@SteveC

If you execute

jrun4/lib java -jar wsconfig.jar -h

to list all parameters.
From there you will see the -ws64 switch 'used to configure 64 bit webserver' and all other switches (also documented in live docs)

SteveC wrote on 09/10/09 1:06 AM

@Calvin

Thanks a lot for the tip I will use it to give that hotfix another go.

Steve wrote on 10/22/09 1:58 AM

The instructions for for CVE-2009-1872 and CVE-2009-1877 Hotfix for ColdFusion 7.0.2 calls for two files to be patched - cf_debugFr.cfm and _logintowizard.cfm. However, the download only contains cf_debugFr.cfm. _logintowizard.cfm does not appear to be included.

Any ideas what the problem is and where to get the missing file for the 7.0.2 patch?

Jim wrote on 10/27/09 6:57 AM

Can't you just copy .jar files to the updates folder instead of going through CF Admin? Just wondering if that might be useful for any SysAdmins out there who don't have CFAdmin rights but do have full server access.

group personal training gold coast wrote on 11/10/09 8:47 PM

I subscribed to your blog when is the next post

Financial Planner Raleigh wrote on 11/19/09 3:29 PM

I bookmarked this already dude great work

Regards

galvin green wrote on 11/30/09 9:44 PM

this is nice information need to know more



Regards

cisco certification raleigh wrote on 01/21/10 12:20 AM

I bookmarked this already dude great work

Regards

csg wrote on 02/02/10 11:14 AM

I try to run java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v but I don't seem to have java on my server. Will installing it effect my CF installation, or will they ignore each other okay?

csg wrote on 02/04/10 1:50 AM

All is well, found it here: []/runtime/jre/bin/java

Post a comment