ColdFusion 9.0.1, ColdFusion 9, ColdFusion 8.0.1, and ColdFusion 8 are affected with vulnerabilities mentioned in the security bulletins APSB11-14 and APSB11-15.
ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX (APSB11-14);
ColdFusion integrated/installed with LCDS (APSB11-15)
ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX
Vulnerabilities have been identified in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to a cross-site request forgery (CSRF) or a remote denial-of-service (DoS).
Adobe recommends users update their product installation using the instructions provided below.
Unspecified vulnerability in Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 allows remote attackers to cause a denial of service via unknown vectors. CVE-2011-2091
1. Hotfix files contain some of the previous security hotfixes.
2. CSRF protection requires that SessionManagement is enabled. If Session Variables are disabled from Administrator Console, CSRF protection is disabled.
3. If ColdFusion throws an exception "java.io.FileNotFoundException: ../logs/esapiconfig.log" after applying the hot fix, go to /lib/log4j.properties and update absolute path for "esapiconfig.log".
Installed the hotfix for ColdFusion 9 or ColdFusion 8 and then upgraded (to ColdFusion 9.0.1 or ColdFusion 8.0.1), ensure that you apply the security hotfix for the update. ColdFusion Security Hotfix