I followed the lock down guide for Coldfusion 11 and everything works as expected except for downloading and installing hotfix button under updates in the coldfusion 11 administration page.
I noticed on Page 17 of the lockdown guide that following the guide may break the hotfixes. But i can't find what the solution to the problem.
I contacted Adobe support and didn't get very far. They told me to look at page 17 as it explains it there.. Well.. no... no it doesnt.
This wouldn't be an issue if you could manually download the hotfixes directly from adobe but you can't or i can't find a page that provides the download links. I can see all the release notes for hotfixes.
Adobe support sent me a link to download the latest update 3 hotfix.. (http://download.adobe.com/pub/adobe/coldfusion/cf11/hotfix_003.jar) but the file location doesn't exist.
Any thoughts / help would be greatly appreciated as i want to move this server into production in the near future.
Coldfusion 11 update 2 running (adobe had to provide direct links to download the first 2 updates.)
Server 2012 Std
Lockdown guide followed and applied.
To be clear, you can't download updates, or download and install updates? I'm asking if the download button works but not the download and install button.
If you can at least use the CF administrator to download the updates, you can run them manually (which is actually how you probably need to do it on Windows with the lockdown guide applied).
Thanks for the reply.
On the CF administration page under updates both the buttons for "Download" and "Download and update" don't work.
After my third Adobe support chat session they sent me the correct link to download update 3 and i manually added it.
The working link is (https://cfdownload.adobe.com/pub/adobe/coldfusion/11/hotfix_003.jar)
From what i understand, every time there is an update going forward i have to use the same link except change hotfix_003.jar to hotfix_004.jar and so forth.
That is correct Mark. Replace the last digits with the hotfix updates as and when they are released.
@adrenaline_x, you really should NOT have to do that manually. If your issue is that the download or download/update buttons don’t work, that that’s a problem to be fixed.
I have a few guesses as to possible problems and solutions:
First, do you see tabs on the top of this Server Updates>Updates page, showing “available updates”, “installed updates”, and “settings”? If not, then that’s a problem. Did you perhaps change the CF admin to have an alternative path for the “Default Scriptsrc directory” (see the first page of the admin for that settings). If so, does the site through which you’re accessing the CF admin have that as a virtual directory? If not, then you’ve got to fix that. If you’re familiar with browser dev tools, you may also readily observe that there are elements of that page (when viewed) which are being sought at that scriptsrc location and are failing with 404’s (not found).
Or if such a tool shows it IS asking for the files at CFIDE/scripts (instead of some alternative path), but these too are getting 404’s, then the issue is that you have blocked that CFIDE/scripts folder (something you may do in reading the lockdown guide, but you might have missed the need to do the step which sets up what I discuss in the previous paragraph.)
Finally, are you Internet Explorer? If so, try adding the site (you’re using for the CF Admin) to its “trusted sites” list, and then reload the page and try again.
After doing any of these things, does those buttons work now? If you’d say “well, it’s already installed so I can’t see those buttons”, that’s ok. Click the “installed updates” tab on that Server Updates page, and then click the uninstall button you should now see for the u3 you have installed. Don’t worry, that won’t actually proceed with the uninstall without additional confirmation. The question for now is simply, does it prompt for that confirmation. If so, then your problem should be solved and your next updates should be simpler.
Let us know how you go.
Thanks for this info Charlie. You pointed to some good places.
What I found that worked, was I needed to remove the Scripts directory from the Request Filtering (in IIS Manager) for the cfadmin site. This should help other people with a locked down server.
Do you know of any issues that might arise from doing this?
Ah right, that would do it also.
As for whether there may be “any other issues”, if that site is really used only for the admin and can’t/won’t somehow be used for requests to other sites then it would be safe, sure. Just that there are ways that misconfiguration of the iIS setup could allow for requests other than the Admin to get in, like if the binding was set to allow any ip address and/or no domain name to be matched. That’s not the way the lockdown guide would talk about setting up a CF admin site, so if one follows its instructions enabling cfscripts (and indeed the administrator directory itself) there should be safe.