The following ColdFusion updates are now available for download. These updates address a common XXE vulnerability in BlazeDS. For details refer the security bulletin hyperlinks in the sections below.
Users who are using LCDS with ColdFusion, should refer this technote, for updating their LCDS installation.
ColdFusion 11 Update 6
This Update addresses a vulnerability mentioned in the security bulletin APSB15-21. This update is cumulative and includes fixes from previous ColdFusion 11 updates.
For details, refer this technote.
ColdFusion 10 Update 17
This Update addresses a vulnerability mentioned in the security bulletin APSB15-21. This update is cumulative and includes fixes from previous ColdFusion 10 updates.
For details, refer this technote.
Newbie
25 posts
Seems the BlazeDS ‘update’ made it more secure by completely borking the functionality. I have a client app that relies heavily on Blaze and when update 18 was applied, the messaging simply stopped working.
I am not sure where the problem is..still trying to figure that one out.
We tried the installation again, and it worked with no errors. No idea what was different between the bad and the good installations.
Just be sure to back up all your CF files before you install the Update!
Regards,
Chris
Follow-up to my post of Sep 21, 2015 at 9:10 AM:
We followed the uninstall instructions for Update6, but it did not fully uninstall and CF would not start.
We then followed the manual uninstall instructions for Update6, but CF would not start.
We then replaced the entire installation directory tree with a backup we took before installing Update6, and CF now starts, and correctly shows Update5 as the latest build version.
We have installed Update6 three times before, all successfully, and confirmed the MD5 signature, so it should not be corrupted.
regards,
Chris
Thanks for notifying me a new update of adobe . Thanks.
Hi, We have installed Update6 on several Win2012 R2 64-bit servers, but one just failed with command-line errors:
“failed to add duplicate collection element “/jakarta”
“failed to add duplicate collection element “/CFIDE”
CF did not appear to be starting, and When browsing, we got this error:
HTTP Error 500.0 – Internal Server Error. Calling GetFilterVersion on ISAPI filter “F:CF11configwsconfig1isapi_redirect.dll” failed.
Rebuilding the Connector did not help. The old Connectors had to be manually removed.
Uninstalling Update6 required the manual removal, but CF is still not starting. We get the same HTTP Error 500.0, when browsing either .htm or .cfm files.
Any ideas? (we’ve opened an Adobe support case).
thank you
I appreciate that Adobe “EAST” keeps patching bugs that they caused by their previous patch. Totally worth the $8500 I was about to send to the DR Congo prince.
Thanks Charlie, yes, you’re correct. The PDFg add-on was pointing to the non-existent 1.8.0_45 JVM after upgrading to _60. Thank you for the tip on the jetty.lax I now remember editing that so it would use _45 quite a few months ago. Just repointed CF app and the AddOn service/PDFg to _60 and all is well.
PDFg service is working fine for me in production with JVM 1.8.0_45 and CF11 update 5. Just patched to update 6 on my dev server and after a few tests things seemed okay but didn’t try PDFg. Decided to update to JVM 1.8.0_60 and found that PDFg no longer worked (Add-On service would not start). Just rolled back to JVM 1.8.0_45 and PDFg is working fine again under CF11 update 6. This is with Server 2012R2.
A security hotfix for BlazeDS shouldn’t break PDFg.
Going forward, updates should be module-specific.
Thanks!,
-Aaron
Update 5 broke PDFg. See https://bugbase.adobe.com/index.cfm?event=bug&id=4031773
throws “No Service manager is available.”
No worries b/c existing code can’t be upgraded to anyways until these are fixed:
– 3931678
– 3931673
Please finish the work on PDFg.
Thanks!,
-Aaron
[subscribe]
[sub]
Matthew, update 6 was a security patch. Having unrelated changes alongside a security patch is a bad thing – putting aside the cumulative nature of u6, Adobe did the right thing in not including other changes.
@Piyush
I have re-applied jar received from Bug 3971083 and issue is side stepped again with that in cfusionlibupdates again.
Just disappointed it was not packages with update 6 since it was address shortly after update 5 was released.
When a BUG, is marked fixed when would one expect the fixed code to make it to an update release?
Matthew,
When you apply an update, all the content of cfusionlibupdates is moved to a back up location at cfusionhf-updates, before the new update jar is placed there.
So you’ll need to recopy your custom patch to former directory.
Snake,
I apologize for indicating that the CF9 instructions can be made available by email. We cannot share security related fixes for versions that are out of support. You can reach out to the customer support for any guidance or clarifications.
Matthew,
you apparently have a custom patch for that bug. I’ll check on if you need to reapply it, post update 6, and get back.
Peter,
I can see that you’ve already commented on the fix for 3776450 possibly causing 3956389, in the bug tracker. Thanks for that. I’m sure we’ll check out that angle when we work on fixing it.
These are not the Adobe instructions, but this is how I manually patched ColdFusion 9.0.1 servers I have to deal with.
http://www.dcepler.net/post.cfm/manually-patching-coldfusion-9-with-apsb15-21-cve-2015-3269
@Adam: Thanks. Must be something weird on my end…
Ron, I can see CF10u17, and am downloading it now… installing… yeah, it ran fine: 10,0,17,295085
Did the CF10u17 hotfix get pulled for some reason? I updated a pair of my development servers yesterday for testing, and when I tried to update a third this morning, update 17 is no longer showing as available? Looking at the XML file available at the default update URL, it appears that neither of these updates (CF10u17, CF11u6) are listed.
Thanks Charlie.
Piyush wrote:
> I still need to checked the details on what that bug [3956389] is about,
> but it is yet to be fixed. I guess, we’ll have to wait for it to be fixed,
> before we can consider shipping it in an update.
Or, instead of waiting, the CF team could be proactive about looking at what changed in update 5 and how it might have caused the bug.
What code was changed to address 3776450 for example?
Given that was about detecting JAR changes, there’s a high likelihood of the changes being related.
…
Piyush,
can you not share the instructions here for the benefit of everyone ?
Why don’t you just post the CF9 instructions here, rather than doing it via email?
Snake,
yes, it does. I can share the instructions on how to fix it on CF9, if you write to me at pnayak@adobe.com
[Subscribed]
does this affect CF9 as well ?
[subscribing]
I appreciate that Adobe & CF Team have committed to moving this product forward and are providing updaters.
[subscribe]
@Piyush. SO one would need to apply the Hot FIx again on update 6 and it should work? I hope so I will attempt and report back.
(subscribing)
got it running, please ignore/delete my comment above
I am unable to apply CF11/Update 6 manually:
Downloaded via CF Admin (or https://cfdownload.adobe.com/pub/adobe/coldfusion/11/hotfix_006.jar)
> [root@testserver hf-updates]# ./hotfix_006.jar
> invalid file (bad magic number): Exec format error
CF11, Update 5 installed on CentOS Linux, 64-Bit
Adam,
The update needs to be applied to alleviate the threat, regardless of the fact whether you are using BlazeDS or not.
If you got an impression that is otherwise, pls. point out the text in the content (here or the referenced technotes), so that I can see if that needs to be rephrased.
Jörg ,
Can you pls. mail the update installation log and the platform details to me at pnayak@adobe.com.
You’ll find them at the following location:
cfusionhf-updateshf-11-00006; cfusionhf-updateshf-10-00017
Peter,
I still need to checked the details on what that bug is about, but it is yet to be fixed. I guess, we’ll have to wait for it to be fixed, before we can consider shipping it in an update.
Piyush wrote:
> Pls. elaborate on what’s broken in Update 5.
There were a number of issues, but the key one was JARs being locked:
Thanks for the workaround Piyush.
Adam, I don’t think it’s that opaque – the Server Monitoring functionality in CFAdmin is presumably making use of Flash Remoting (which is what BlazeDS provides).
Assuming that’s not used for Fusion Reactor, it’ll be ok for us to disable it.
Hi all,
I have a versioning issue after installing the updates on CF10 and CF11…
I get version 11,0,06,289974 instead of 11,0,06,295053
and version 10,0,17,282462 instead of 10,0,17,295085
should I be worried or are the numbers in the hotfix-info wrong?
[subscribe]
@Piyush: so to be clear here… someone who might not think they are usig BlazeDS so accordingly don’t need this fix could conceivably be leaving themselves exposed if they are using server monitoring?
Can you (ie: Adobe) be a bit less opaque about the reach of this issue? It’s not that clear, I don’t think.
Peter, Aaron,
You can uncheck “Enable Flash Remoting” checkbox in the ColdFusion Administrator> Data & Services> Flex Integration.
But pls. be warned that this will also disable the Server Monitoring feature in ColdFusion.
David,
The articles have been updated. Thanks for pointing that out.
Aaron,
All updates since ColdFusion 10 are cumulative.
Matthew,
We’re targeting the fix for 3971083 in the next update release. Update 6 had to be pushed out quickly as it addresses a zero-day vulnerability.
Peter,
Pls. elaborate on what’s broken in Update 5.
Just as a note, both of these pages should be updated to reflect the newest updates.
https://helpx.adobe.com/coldfusion/kb/coldfusion-10-updates.html
https://helpx.adobe.com/coldfusion/kb/coldfusion-11-updates.html
+1 to Peter’s request for information on how to disable the vulnerable module.
Also, updates should be module-specific.
Thanks!,
-Aaron
Update 6 does not have the issue I logged in update 5 within it. Bug 3971083. DEBUG information turned on does not allow application to run correct.
https://bugbase.adobe.com/index.cfm?event=bug&id=3971083
Status = Close Statu s= Fixed on bugbase, yet update 6 still has this issue. Come on now.
So update 6 includes all previous updates, which means it includes update 5, which is broken.
How do people limited to update 4 ensure they are not vulnerable?
Is there a way to ensure Flex/BlazeDS is fully disabled in a way that avoids the security issue? Is removing all flex-related servlet/servlet-mappings from Tomcat going to be enough, or is there more to do?
[subscribe]
You must be logged in to post a comment.
23 Nov
10AM Pacific
Online
