Error after accessing ColdFusion Administrator using connector port

October 9, 2019

SauravGhosh Follow

(1)

Comments

(17)

October 9, 2019

Error after accessing ColdFusion Administrator using connector port

SauravGhosh Follow

(1)

(17)

(1)

UPDATE (10/10/2019): We’ve have now included patches for 32-bit IIS connector. The locations are also updated.

Users who had installed Update 5 of ColdFusion (2018 release) and Update 12 of ColdFusion (2016 release) encountered an error after they’d tried accessing the ColdFusion Administrator using their connector port.

The issue was reported by a few users that it might impact all their websites. This issue appears if and only if you access the ColdFusion Administrator using the web server port.

We strongly recommend that you access ColdFusion Administrator only using the internal web server port (port 8500) without exposing the port externally.

However, if you still want to use the connector port, use these patches provided for your version of ColdFusion:

Unzip the files to any location in your computer.

To apply the patch, follow the steps below:

IIS

Navigate to [CF Home]\config\wsconfig\[Magic folder for your connector].
Take a backup of the file, isapi_redirect.dll.
Copy the file isapi_redirect.dll from the link provided above.
Copy it to the location, [CF Home]\config\wsconfig\[Magic folder for your connector].
Restart the IIS website as well as it’s Application Pool.

Apache

Navigate to [Apache Home]\conf directory. (For ColdFusion 2016, this will be at [CF Home]\config\wsconfig[Magic folder for your connector])
Take a backup of the file, mod_jk.so.
Copy the file mod_jk.so file from the link provided above.
Copy it to this location [Apache Home]\conf directory. (For ColdFusion 2016, this will be at [CF Home]\config\wsconfig[Magic folder for your connector]).
Restart the Apache web server.

apache

connector

iis

isapi_redirect.dll

(1)

SauravGhosh Follow

17 Comments

semihakartuna

Jan 8, 2020

semihakartuna

Jan 8, 2020

thank u

()

kazu98296633

Oct 24, 2019

kazu98296633

Oct 24, 2019

CVE-2019-8074

CentOS7
Apache
CF2016

(HTTP response 403) /CFIDE/…
(HTTP response 403) /not-CFIDE/
(HTTP response 403) /not-CFIDE/index.cfm

(HTTP response 400) /index.cfm/..;/CFIDE/…
(HTTP response 400) /index.cfm/..;/not-CFIDE/
(HTTP response 200) /index.cfm/..;/not-CFIDE/index.cfm

()

CRAIG PENROSE_39

Oct 15, 2019

CRAIG PENROSE_39

Oct 15, 2019

Did the JQuery UI update from 1.8.16 to 1.12.1 in Cold Fusion 2016 update 12? If not release 12 then what release? How come the JQuery UI update is not noted in the release notes?

()

(3)

Charlie Arehart

CRAIG PENROSE_39

's comment

Oct 15, 2019

Charlie Arehart

Oct 15, 2019

CRAIG PENROSE_39

's comment

I am not in a position to quickly report if/when it updated, but I will say that since it’s there for the sake of the CF features that use it, Adobe wouldn’t necessarily be compelled to point it out. It’s not really meant for others to leverage in their own code, though of course some do. I just mean to say that they don’t make a commitment about expectations regarding it beyond whether it works for the CF features that leverage it.

For what it’s worth, I can confirm for you that there is no mention of jquery regarding any of the previous 11 CF2016 updates, either at the release notes page covering all of them at https://helpx.adobe.com/coldfusion/release-note/coldfusion-2016-updates-release-notes.html, nor in any of the individual technotes, per this google search:

site:helpx.adobe.com inurl:coldfusion-2016-update “jquery”

(To be clear, that search WILL find even the latest update 12 technote, if you search for “jdk 12” instead.)

Maybe someone at Adobe will confirm for you if/when it may have changed versions over the life of CF2016, or perhaps someone will do a close analysis of the lib folder and the jquery files to detect if/when it may have changed versions.

HTH

()

CRAIG PENROSE_39

Charlie Arehart

's comment

Oct 15, 2019

CRAIG PENROSE_39

Oct 15, 2019

Charlie Arehart

's comment

Thanks for the feedback.

I asked about it because I received vulnerability notices from our internal Cyber division about using an out of compliance JQUERY UI version (1.8.16). Thankfully it was updated to 1.12.1 in Cold Fusion update 12 (as far as I can tell). I am received a vulnerability notice about Cold fusion having JQUERY version 3.3.1 and am being directed to upgrade to JQUERY 3.4.0 per CVE 2019-11358.

I do think Cold Fusion should notify when they upgrade or plan to upgrade their embedded components – especially when those components are subject of vulnerability notices (e.g. CVEs).

()

Charlie Arehart

CRAIG PENROSE_39

's comment

Oct 16, 2019

Charlie Arehart

Oct 16, 2019

CRAIG PENROSE_39

's comment

That’s a fair point. I will leave it for them to respond to.

()

roland.collins

Oct 15, 2019

roland.collins

Oct 15, 2019

Considering that both CFOUTPUT and the ISAPI connector are broken in Updated 5, has Adobe given any thought to pulling the update? I mean – why do you continue to distribute what you know to be a problematic update?

Also, what is going on with the QA for ColdFusion? I have not been able to deploy CF2018 to production yet because every single updater has broken a major feature. The ternary operator was broken up until Update 5, and then update 5 broke CFOUTPUT and the ISAPI connector. The team is cranking out tons of new features, but that doesn’t mean squat if we literally can’t use the product because core features are being broken in the process.

What gives? This team has to do better.

()

ellipsisces1292chris

Oct 11, 2019

ellipsisces1292chris

Oct 11, 2019

While this is great creating a post for folks to download update jar/dll connector, it would be better for everyone to issue a separate HF to address all patch fixes. What do you think?

()

(1)

Scott15205

Oct 10, 2019

Scott15205

Oct 10, 2019

I’ve tried to access the links for both 2016 and 2018, but neither one is working now. Did they pull these patches?

()

(2)

sthompson

Oct 10, 2019

sthompson

Oct 10, 2019

This is regarding CF 2016 Update 12.

There are two (at least) versions of the updated isapi_redirect.dll available. I’m using the bug tracker (CF-4205361) for reference, though I have seen the links shared elsewhere.

In one comment, Charlie shared a link (ISAPI_Redirect_Patch) that had two folders (Binaries and CF2016 Binaries) and the DLL. I download the DLL and it resolved the the 404 error reported by the connector. Interestingly, this DLL is the exact same size (515,584 bytes, 504k) as the buggy connector file that came with update 12, though they are different.

In another comment, Kailash shared a link (CF2016 Binaries) that has four folders for various operating systems. I assume that CF2016 Binaries folder is the same as the one that’s in Charlie’s link, though you can’t tell by the URLs, and you can’t navigate up the tree. I downloaded the DLL in Windows/IIS/64bit, and noticed that it’s smaller (488,448 bytes, 477k) than the other one, as well as the one that came with the update. The previous connector used on the server from (I think) updates 8/9, is 486,400 bytes.

This post links to a zip file that contains basically the contents of the CF2016 Binaries folder shared on Dropbox, though the 32-bit version is missing for IIS. The DLL in this file is identical to the one found in the link shared by Kailash.

So which of these is correct? The first one is the same size as the connector that came with the update (which seems reasonable since it’s a fix). The second is only slightly larger than the previous connector, which would make sense if a bunch of code was removed.

Thanks.

()

(2)

Charlie Arehart

sthompson

's comment

Oct 10, 2019

Charlie Arehart

Oct 10, 2019

sthompson

's comment

ST, a couple of things: I didn’t share any link to files. Instead, I quoted Kailash who shared the link. And that was on the 7th (in a comment on that ticket you point to). then it was on the 8th that Kailash made another comment, sharing yet another link. Why they differ, I can’t say, but it was a day later. It could be that the second was newer.

More important, you don’t seem to discuss comparing things to what Saurav has shared here in THIS post, which is yet a day later? Really, these files he has shared here would seem to take precedence over even the two sets shared Kailash so far.

Make sense?

()

SauravGhosh

Charlie Arehart

's comment

Oct 10, 2019

SauravGhosh

Oct 10, 2019

Charlie Arehart

's comment

Charlie,

Both sets contain the same dll and so files. That only change is in the locations specified to host the files. Earlier, we’d shared via Dropbox, but now we’ve changed it to Document cloud.

Thanks.

()

Charlie Arehart

Oct 9, 2019

Charlie Arehart

Oct 9, 2019

This is great to see, Saurav. Thanks. (Folks have been left to dig through forum posts and bug tracker tickets to find this info and these links, formally shared from someone at Adobe.)

Could we now get a post for that other hotfix jar that Adobe is sharing, addressing the few other issues introduced in the most recent update? That (including info on how to apply it) would be VERY helpful.

()

(1)

Add Comment

You must be logged in to post a comment.