Inspiring

Question

New Security Hotfixes

Forum|Forum|16 years ago
August 19, 2009
4 replies
5837 views

In case anyone missed it, Adobe announced some new "critical" hotfixes here:

http://www.adobe.com/support/security/bulletins/apsb09-12.html

My question is in regard to one of these hotfixes, CVE-2009-1876.

The instructions seem to be directed toward Apache users only.

So, should CVE-2009-1876 be installed on IIS-based systems, and for what CF versions?

Thanks!

This topic has been closed for replies.

R

rowann

Participating Frequently

We've applied the patch for CVE 2009-1876 and we're getting the expected response "Macromedia JRun 4.0 (Build 108785)"

However, checking cfserver.log after CF restarts, we get this message "Starting Macromedia JRun 4.0 (Build 108673), coldfusion server".

Is this expected?

Are there any other ways to check if the patch has been applied properly?

Many thanks!

A

Anonymous

Yeah, this is a little rediculous. Adobe should combine these into one hot fix or version upgrade. I too was confused by the Apache only reference and the extra directory in one of the zips.

Anyone know if you can apply all of these at once? Or do you have to do them one by one?

Has anyone applied all of these already? If so what is your full version number? ie: 8,0,1,195765 (would be nice if Adobe told you that too, if you have version 8,0,1,xxxxx you are fully patched)

Thanks in advance for any info.

J

JR__Bob__Dobbs-qSBHQ2

Inspiring

I too was confused by the Apache only reference and the extra directory in one of the zips.

I suspect that either the changes in the update only apply to a vulnerability related to Apache or that the documentation is faulty. I have applied it on a server running IIS without experiencing any problems.

Anyone know if you can apply all of these at once? Or do you have to do them one by one?

I applied all the patches before restarting CF. I applied the CVE-2009-1876 fix last since it re-starts the web server service.

Has anyone applied all of these already? If so what is your full version number? ie: 8,0,1,195765 (would be nice if Adobe told you that too, if you have version 8,0,1,xxxxx you are fully patched)

I have applied all of the CF hot fixes on 7.0.2 and 8.0.1 without experiencing any problems. My patched CF 8.0.1 server is version 8,0,1,195765. You can check you patch level on the System Information page of the CF administrator. Verify that hf801-1875.jar and hf801-1878.jar are included in your Java Class Path. You can also find the jar files in \ColdFusion8\lib\updates\.

M

mkane1

Inspiring

I had a couple of questions about the security fix. I posted about one of them in the Coldfusion forum, no reply yet, so figured I'd try here.

1) Part of the 8/17 security fix deals with replacing \CFIDE\wizards\common\ _logintowizard.cfm which made me wonder what the purpose of that file is. If it isn't needed, then it would be easier and perhaps better to simply delete the file. I did some searching, but didn't find anything about the purpose of this file.

2) I downloaded the CFIDE-cf8.0.1.zip file. In addition to the \debug and \wizards subfolders, which were explicitly addressed in the instructions, there is \administrator\datasources There are no files in that subfolder, and I saw no mention of it in the instructions/docs. Why is it in the zip file if it is not needed?

Thanks in advance!

- Michael

J

JR__Bob__Dobbs-qSBHQ2

Inspiring

In regards to the CFIDE files; after I've configured the datasources, mappings, and other settings in the CF administrator I generally remove all the files and directories from CFIDE on production servers except CFIDE/scripts which is used by CFFORM and other javascript related tags. I keep the CFIDE directory backed up and off of the web site. When I need to make a setting change through the admininstrator site I copy the files to the web site and remove them when I'm done.

Security Best Practice: Securing the ColdFusion Administrator
http://go.adobe.com/kb/ts_tn_17254_en-us

M

mkane1

Inspiring

Thanks for the comments JR. I have secured my external prod servers that way. Now I have to secure my internal dev servers as well, although not quite so stringently.

On reflection, it seems to me that the security fix docs *should* have referenced the"Securing the ColdFusion Administrator" article.

I still would like to know (from Adobe) why the administrator subfolder is in the security fix ZIP file.

A

Anonymous

I was coming to post a similar question. Security update CVE-2009-1876 does not indicate what version of CF it applies to.

In regards to your other question I'm pretty sure this applies to IIS servers. In the past wsconfig.jar has been the container file that also holds the IIS connector dlls and has needed to be upgraded for those.

I'd also like to point out that the CVE-2009-1875 zip files seem to have been made on a MAC machine because when you decompress them it has _MACOSX folder and .DS_Store files in the folders. These files may be confusing to anyone not familiar with them and also brakes form from any previous zip files.

A

Anonymous

Also, why are we being shotgun blasted with so many patch files, why couldn't these have been combined into one overall patch zip for their respective CF versions? This kinda reminds me of SQL2000 back in the day when I'd have to download and manually install all the files for a Service Pack ourselves. We all know how well that worked out when SQL-Slammer hit the scene... MS learned how quickly admins ignored cumbersome manual patch installers.

A

Anonymous

I did the jar -info command on our fully patched CFMX7.0.2 and CFMX8.0.1 servers and it returns the following information for them;

CFMX 7.0.2 - Build 108409
CFMX 8.0.1 (32bit & 64bit) - Build 108673
CVE-2009-1876 - Build 108785

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded