You are here

T-661: ColdFusion Security Hotfix | APSB11-14, ColdFusion Important Update

July 5, 2011 - 7:57am

Addthis

PROBLEM:

ColdFusion 9.0.1, ColdFusion 9, ColdFusion 8.0.1, and ColdFusion 8 are affected with vulnerabilities mentioned in the security bulletins APSB11-14 and APSB11-15.

ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX (APSB11-14);
ColdFusion integrated/installed with LCDS (APSB11-15)

PLATFORM:

ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX

ABSTRACT:

Vulnerabilities have been identified in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to a cross-site request forgery (CSRF) or a remote denial-of-service (DoS).
Adobe recommends users update their product installation using the instructions provided below.

reference LINKS:

AP Vulnerability ID: APSB11-14
Adobe Security Advisories
AP Vulnerability ID: APSB11-15
ColdFusion Security Hotfix Installation Link

IMPACT ASSESSMENT:

Medium

Discussion:

Unspecified vulnerability in Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 allows remote attackers to cause a denial of service via unknown vectors. CVE-2011-2091

Other references:

Tech Bulletin T-549
CVE-2011-0736
CVE-2011-0737

Impact:

1. Hotfix files contain some of the previous security hotfixes.

2. CSRF protection requires that SessionManagement is enabled. If Session Variables are disabled from Administrator Console, CSRF protection is disabled.

3. If ColdFusion throws an exception "java.io.FileNotFoundException: ../logs/esapiconfig.log" after applying the hot fix, go to /lib/log4j.properties and update absolute path for "esapiconfig.log".

Solution:

Installed the hotfix for ColdFusion 9 or ColdFusion 8 and then upgraded (to ColdFusion 9.0.1 or ColdFusion 8.0.1), ensure that you apply the security hotfix for the update. ColdFusion Security Hotfix

ColdFusion integrated/installed with LCDS

 

 

Addthis