Copy link to clipboard
We have a few ColdFusion 9.0.1 servers that are humming along and I would like to patch up them to the latest available updates, as I haven't patched them in a few years. It looks like ColdFusion Security hot fix APSB14-23 contains hotfix 12 which is the latest I can find so far. Can anyone confirm this is the latest available for 9.0.1?
Copy link to clipboard
Daniel, there’s a lot more to this than may seem. Let me address several key things you need to consider. I know it is a lot to read, but getting any one thing wrong could leave CF busted, or at least not properly updated. (And I offer to help you directly at the end, if you may prefer a helping hand to treading these dark waters alone.
1) First, you say “The last patch I applied was hf901-00010.jar back in 2013”, but that’s not indicated by the “update level” on your screenshot:
Update Level /D:/ColdFusion9/lib/updates/hf901-00009.jar
But note they’re not the same. And if you had applied that update 10, then the jar for update 9 should not still be there. So that’s a bit odd.
2) As for that update level info on that Admin page you shared, beware that it does NOT list ALL the updates you may have applied. There may or may not be a cumulative hotfix that was applied also in the past. That would not be listed there, if you had also applied a security hotfix after that. (More on that in a moment.)
To find out what updates you have applied, see this blog post I did:
How to tell what, if any, hotfixes have been applied to ColdFusion (9 and earlier)
3) Then you may wonder about what hotfixes DO exist for you to consider. First, note that there is a page that lists the CUMULATIVE hotfixes:
And as they are cumulative, only the latest (9.0.1 CHF4) needs to be installed for a CF9.0.1 setup.
4) But then there are also security updates, and those are NOT listed there. Indeed, what you list above (whether 00009 or 00010) is in fact a security update. You can see the list of all CF security updates here:
Note that that does not list the updates with the numbers like you see. Instead, it list “APSB”s, and those each have a technote, and in that it shows the file and version for each CF version (which differs for CF9.0 vs 9.0.1, etc.) More on that in a moment.
5) Whether you have to apply any security updates after the last CHF depends on what ones that CHF included. In the case of CF901 CHF4 (if you have done it or would do it), then according to its technote (https://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-4-coldfusion-901.html ), it included security updates up to APSB13-03. And you can see from that list from my point 4, that is NOT the latest Adobe released for CF 9. It was APSB14-23.
And for comparison to your listed file, hf901-00009.jar, this latest security update would be called hf901-00012.jar (so there was not an update 13 for 901, as you were led to believe).
How do I know what file name would be used for what security update? Well, we see from the page above that APSB 14-23 links to its “security bulletin” (https://helpx.adobe.com/security/products/coldfusion/apsb14-23.html), and that points to the technote for that update here: https://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb14-23.html . And that shows that for 9.0.1 the jar file name would be hf901-00012.jar. And yes, all this can get complicated. Many have drowned in these waters.
Indeed, it can get still more dicey: that technote also tells you to remove all previous hf.jar files (which is why I said you should not have the files 0009 and 0010 installed at the same time.) But beware how it’s telling you to remove any “hf” files, NOT any CHF.jar files. Many have mistakenly removed the CHF jar while applying a security update, only to have CF blow up on them.
Or note that the page also lists files (zips to download) for other CF9 versions, like 9.0 and 9.0.2. One MUST be sure to get the right one. And then many of these update technotes have different steps depending on whether you had or had not applied the previous update.
6) Indeed, these are all things I elaborate on in yet another blog post:
CF911: Are you finding CF (or CF Admin) busted after applying a hotfix? A few possible reasons
7) We’re almost done. I’ll just note that you may also come across the availability of CF 9.0.2 and be tempted to think “I’ll just update to that”, but to be clear, that is NOT an option for you. 9.0.2 was not an updater (for 9): it was a replacement installer for CF9. For more, see this blog post I did:
8) And FWIW, I tried to pull together the above and more into another post in 2014 (to help people in the boat you are):
Applying hotfixes to ColdFusion 9 and earlier? A guide to getting it right
But I wanted to offer the specific points above because they address your specific situation.
9) Finally, if reading all that seems daunting, or you may be (reasonably) concerned about possible mistakes trying to update things, I can of course just help you do it directly (remotely, safely, quickly, and with satisfaction guaranteed). For more, see carehart.org/consulting.
10) Well, before closing, I would be remis not to also warn you that of course CF9 has not been supported or updated for years. Even CF10 support (and updates) stopped in 2017. CF11 and 2016 are what are currently supported, and CF2018 is due out in coming months, and support for CF11 will then stop in 2019. Staying on 9 is a risky proposition, if nothing else for the lack of security updates as have been added to the later releases.
Hope that’s helpful.
Thanks Charlie. Regarding the discrepancy on updates, I found that the patch folder (/D:/ColdFusion9/lib/updates) contained two files:
hf901-00009.jar and hf901-00010.jar
From reading your response (and supporting blogs), I gather that the cumulative fix files should have been left in the folder. But apparently they were deleted when the hotfixes were applied. And then, for whatever reason, HF 9 was left after HF 10 was added. I know I said that I was the one who applied these, but actually it wasn't me. I have no idea what the patch level is. But maybe you can answer this: what happens when the cumulative fixes are deleted from the update folder? Does that cause it to remove the cumulative fix?
Oh yes, it does mean that (that the CHF was effectively removed). Worse, some of the related files (put in place by the CHF update process) would be expecting that to be there, and it’s not, which could cause all manner of problems (some obvious, some more subtle).
And it may not be enough to just go back and add it (as you may not know which one it was). And you may well have made other mistakes, like copying the downloaded zip of “lib” files to the wrong “lib”, as I discuss in the blog post about what can easily go wrong. Trying to rectify things could get scary fast.
So I would think that at this point perhaps the best thing for you to do would be to use the unofficial updater (uus2), which I discuss in the blogs (or you can find discussed by others). It would lay down a complete directory of all the CF files, as per whatever selected update you chose. It would not touch other files, just those that the updated would have updated.
It was a nifty tool. It is no longer updated, but that’s because it was only useful up to CF9, so it would still work for you.
It had its warts, and it was a bit of a hammer, but sometimes (as in this case), that’s what you need to get things “all sorted out”. And again, I can help you with that if you may try it and get scared away or have troubles (I would STRONGLY recommend you take a VM snapshot or backup or at least create a copy of the CF folder before running it, in case it does something that might leave things not working, so you could revert.)
Copy link to clipboard
Charlie has addressed almost everything, as usual. I'll add one thing. There is a public repository of CF installers and patches available here:
In addition, I will reiterate that CF 9 is dead, dead, dead. You should not be running this in production on untrusted networks.
Dave Watts, Fig Leaf Software