UPDATE (10/10/2019): We’ve have now included patches for 32-bit IIS connector. The locations are also updated.
Users who had installed Update 5 of ColdFusion (2018 release) and Update 12 of ColdFusion (2016 release) encountered an error after they’d tried accessing the ColdFusion Administrator using their connector port.
The issue was reported by a few users that it might impact all their websites. This issue appears if and only if you access the ColdFusion Administrator using the web server port.
We strongly recommend that you access ColdFusion Administrator only using the internal web server port (port 8500) without exposing the port externally.
However, if you still want to use the connector port, use these patches provided for your version of ColdFusion:
Unzip the files to any location in your computer.
To apply the patch, follow the steps below:
IIS
- Navigate to [CF Home]\config\wsconfig\[Magic folder for your connector].
- Take a backup of the file, isapi_redirect.dll.
- Copy the file isapi_redirect.dll from the link provided above.
- Copy it to the location, [CF Home]\config\wsconfig\[Magic folder for your connector].
- Restart the IIS website as well as it’s Application Pool.
Apache
- Navigate to [Apache Home]\conf directory. (For ColdFusion 2016, this will be at [CF Home]\config\wsconfig[Magic folder for your connector])
- Take a backup of the file, mod_jk.so.
- Copy the file mod_jk.so file from the link provided above.
- Copy it to this location [Apache Home]\conf directory. (For ColdFusion 2016, this will be at [CF Home]\config\wsconfig[Magic folder for your connector]).
- Restart the Apache web server.
CVE-2019-8074
CentOS7
Apache
CF2016
(HTTP response 403) /CFIDE/…
(HTTP response 403) /not-CFIDE/
(HTTP response 403) /not-CFIDE/index.cfm
(HTTP response 400) /index.cfm/..;/CFIDE/…
(HTTP response 400) /index.cfm/..;/not-CFIDE/
(HTTP response 200) /index.cfm/..;/not-CFIDE/index.cfm
I am not in a position to quickly report if/when it updated, but I will say that since it’s there for the sake of the CF features that use it, Adobe wouldn’t necessarily be compelled to point it out. It’s not really meant for others to leverage in their own code, though of course some do. I just mean to say that they don’t make a commitment about expectations regarding it beyond whether it works for the CF features that leverage it.
For what it’s worth, I can confirm for you that there is no mention of jquery regarding any of the previous 11 CF2016 updates, either at the release notes page covering all of them at https://helpx.adobe.com/coldfusion/release-note/coldfusion-2016-updates-release-notes.html, nor in any of the individual technotes, per this google search:
site:helpx.adobe.com inurl:coldfusion-2016-update “jquery”
(To be clear, that search WILL find even the latest update 12 technote, if you search for “jdk 12” instead.)
Maybe someone at Adobe will confirm for you if/when it may have changed versions over the life of CF2016, or perhaps someone will do a close analysis of the lib folder and the jquery files to detect if/when it may have changed versions.
HTH
Thanks for the feedback.
I asked about it because I received vulnerability notices from our internal Cyber division about using an out of compliance JQUERY UI version (1.8.16). Thankfully it was updated to 1.12.1 in Cold Fusion update 12 (as far as I can tell). I am received a vulnerability notice about Cold fusion having JQUERY version 3.3.1 and am being directed to upgrade to JQUERY 3.4.0 per CVE 2019-11358.
I do think Cold Fusion should notify when they upgrade or plan to upgrade their embedded components – especially when those components are subject of vulnerability notices (e.g. CVEs).
Considering that both CFOUTPUT and the ISAPI connector are broken in Updated 5, has Adobe given any thought to pulling the update? I mean – why do you continue to distribute what you know to be a problematic update?
Also, what is going on with the QA for ColdFusion? I have not been able to deploy CF2018 to production yet because every single updater has broken a major feature. The ternary operator was broken up until Update 5, and then update 5 broke CFOUTPUT and the ISAPI connector. The team is cranking out tons of new features, but that doesn’t mean squat if we literally can’t use the product because core features are being broken in the process.
What gives? This team has to do better.
This is regarding CF 2016 Update 12.
There are two (at least) versions of the updated isapi_redirect.dll available. I’m using the bug tracker (CF-4205361) for reference, though I have seen the links shared elsewhere.
In one comment, Charlie shared a link (ISAPI_Redirect_Patch) that had two folders (Binaries and CF2016 Binaries) and the DLL. I download the DLL and it resolved the the 404 error reported by the connector. Interestingly, this DLL is the exact same size (515,584 bytes, 504k) as the buggy connector file that came with update 12, though they are different.
In another comment, Kailash shared a link (CF2016 Binaries) that has four folders for various operating systems. I assume that CF2016 Binaries folder is the same as the one that’s in Charlie’s link, though you can’t tell by the URLs, and you can’t navigate up the tree. I downloaded the DLL in Windows/IIS/64bit, and noticed that it’s smaller (488,448 bytes, 477k) than the other one, as well as the one that came with the update. The previous connector used on the server from (I think) updates 8/9, is 486,400 bytes.
This post links to a zip file that contains basically the contents of the CF2016 Binaries folder shared on Dropbox, though the 32-bit version is missing for IIS. The DLL in this file is identical to the one found in the link shared by Kailash.
So which of these is correct? The first one is the same size as the connector that came with the update (which seems reasonable since it’s a fix). The second is only slightly larger than the previous connector, which would make sense if a bunch of code was removed.
Thanks.
ST, a couple of things: I didn’t share any link to files. Instead, I quoted Kailash who shared the link. And that was on the 7th (in a comment on that ticket you point to). then it was on the 8th that Kailash made another comment, sharing yet another link. Why they differ, I can’t say, but it was a day later. It could be that the second was newer.
More important, you don’t seem to discuss comparing things to what Saurav has shared here in THIS post, which is yet a day later? Really, these files he has shared here would seem to take precedence over even the two sets shared Kailash so far.
Make sense?
This is great to see, Saurav. Thanks. (Folks have been left to dig through forum posts and bug tracker tickets to find this info and these links, formally shared from someone at Adobe.)
Could we now get a post for that other hotfix jar that Adobe is sharing, addressing the few other issues introduced in the most recent update? That (including info on how to apply it) would be VERY helpful.
You must be logged in to post a comment.