Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Of course, in CF10 it's easier now because of the built-in "server updates" feature of the CF Admin. But in earlier releases, it was all on you to both keep up on the updates and to apply them manually. And a lot of people either never bothered, or may have tried and failed, or did it but got it wrong.

What you need to know

So in this blog entry, I some key info that will help you, if you may be in need of applying one or more of those updates to CF9 and earlier. Indeed, I'll point to some past entries I've done where I shared a lot more detail that I find is vital and rarely mentioned when some people try to share just the bare minimum of info (often leaving people hanging).

For instance, I'll help you answer such questions as what hotfixes do you already have applied? How do you find out? And you need to know exactly what version of CF you have, whether 9.0/9.0.1/9.0.2, 8.0/8.0.1, 7.0/7.0.1/7.0.2, and so on. I'll explain how to tell and why that's important, and especially when it comes to finding and applying hotfixes. And if you have applied hotfixes, are you sure you have done it right? It's easy to get things wrong and botch things. I'll help you avoid several very common mistakes.

(That's why it's so great that CF10 finally handles things for us. But this entry, focused on 9 and earlier, is not the place to discuss concerns with the CF10 hotfix mechanism. If you have questions or concerns about that, see the substantial CF10 Hotfix Installation Guide from Adobe, a 50-question FAQ on all things related to that feature.)

I'll also point you to where to find hotfixes and installers for CF9 and earlier (not as easy as it may seem), and still more.

If any of that's of interest, and I hope it is if you're on CF9 or earlier, then read on.

[....Continue Reading....]

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

But guess what: it technically only has changes related to Mac OS X (specifically adding support for its Mavericks version).

This is addressed if you read the technote that the update text points to, or the Adobe blog entry from last night which announced the update (more on these in a moment.) Those DO indicate that if you are not running that OS, you need not apply the update. (And the day after I wrote this entry, this indication was added to the update text itself.)

But what if you are on Windows (or another *nix variant besides OS X)? Should you apply it? What if you do? (there's NO PROBLEM!) What if you don't? And given that the update text says you need to reconfigure the web server connector, do you really need to bother on Windows?

And what if you are installing CF10 for the first time, since you DO need to apply updates upon installation? (you can either apply update 13 or 12, but you must apply at least one of them to be fully updated.)

As important, how might Adobe have better clarified this, and how might they make a simple change now related to that (they since did)?

I address in this entry these questions and a few other concerns I have, about confusion that may ensue.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

I wanted to point out to my readers that I have proposed two talks. The first one I gave at the Adobe CF summit last month and was very well-received. You can see the description and VOTE button on each of the following pages:

CF911: Solving Frequent CF Server Problems in New/Better Ways (click to visit, then vote)

The second is one that I gave to the Atlanta CFUG earlier this year.

Updating/Hotfixing ColdFusion 10, 9 and 8: Tips and Traps (click to visit, then vote)

Both are full of surprising and helpful tips, based on my experience helping hundreds of shops with related issues in my CF server troubleshooting services. But the talks are not "sales pitches".

They're goal is to be just like my blog entries here, and my past talks: I just want to help people find, understand, and resolve problems with their CF servers. It's wonderful to be able to help people come away more confident and capable in managing their servers, whether from the consulting sessions, the talks, the blog entries, the cf911.com wiki of cf server troubleshooting resources, the cf411.com site of tools and resources of interest to CFers, and so on.

Anyway, if these talks sound interesting, please go add your votes using the link for each above, and click the vote option that then appears. And of course, vote for all the other talks you think ought to be invited. The board uses your votes, so every vote counts.

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

In this entry, I want to throw in another reason why it's important to make sure you properly update (reconfigure/rebuild/upgrade) your web server connector after applying certain CF10 updates, or if applying only the latest update for the first time to a newly installed CF10 instance.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

In brief, a VERY common problem is that while they MAY WELL have applied the provided "updates" for CF, folks often do NOT notice that they may have to (and generally must) "update" the web server "connector" (if they are using an external web server, like IIS or Apache) as a separate manual step, after applying the update.

I explain here what that means, how do to it, and why you may miss that you need to.

Update in 2019:

Since writing this entry, I did one in 2019 on When and how to upgrade CF web server connector, easier since CF2016, which at least makes it EASIER to upgrade, though much of what I write here still applies. I also updated this post since originally writing it, in ways discussed below.

(Or if you'd rather just have me help you quickly help you analyze and rectify your situation, whether with regard to the connectors or any other CF server troubleshooting, I can do that in a brief consulting session, likely less than an hour, remotely and securely. I provide all the detail here for those who prefer to "go it on their own". For more on my consulting services, including rates, approach, satisfaction guarantee, and more, see the consulting page at carehart.org.)

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Should you? What do you gain? what do you lose? what are some gotchas? That's what this blog entry is about, answering the following questions:

• First, what is ColdFusion 9.0.2? Why did Adobe create it?
• What about the 9.0.1 updater? Can we still get that? Yes.
• So what all does 9.0.2 add and remove?
• If I download CF 9 today, what do I get?
• "But if I download 9.0.2 today, I get the latest version of it available, right? I don't need to add hotfixes, do I?" Wrong.
• Warning: DO NOT install 9.0.1 atop 9.0.2 (nothing will stop you)
• If I am on 9.0 or 9.0.1, how can I get to 9.0.2?
• Why might I want to get to 9.0.2 from 9.0 or 9.0.1?
• How did i miss this? Was 9.0.2 discussed? Yes it was.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Anyway, here is the answer I wanted to offer to that question...

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

As an update since I first wrote this, it turns out this issue may or may not affect you depending on a couple of variables, which I will discuss, with a prefix of "update:" below. But don't dismiss this thinking you are not affected. I would propose that still far more CF servers may be exposed than not, as I will explain.

The CF Admin has (for several releases) offered an option called, "Use UUID for cftoken" (in the "Settings" section), and it's been intended as a security measure. Its purpose is to cause CF to use a UUID value (a long, complex string of numbers and letters) for the CFTOKEN cookie (and session variable) that CF generates, versus what used to be a simple, 8-digit value. This cookie, along with the simpler and incrementing CFID, is used to connect users to the session and/or client scope values created for that user in CF code.

Some may be surprised to learn, though, that while this setting DOES cause CF to *create* such UUID-formatted CFTOKEN values for requests that do not already present a CFTOKEN cookie, it does NOT necessarily cause CF to block any continued use of such simple, 8-digit cftoken cookies.

In other words, browsers which had visited your site before you turned on "use uuid for cftoken" would still send the 8 character cftoken they already had, not a uuid, and that could be accepted as valid by CF, even with that setting on, under certain conditions. (And the user will not be sent any new cftoken cookie in a UUID format, in CF's response, in those conditions.)

There's good and bad news related to this fact, which I will elaborate on below.

Update: Since writing this entry, I learned of a couple of factors that influence if and when this is a problem.

1. It turns out that if you are using CF10, or CF9 or 8 with the "session fixation" hotfix (APSB11-04), then the problem only happens until you restart CF. The Admin does not currently warn you of this, so beware that you will have the exposure below until you do restart. (If you have added one of the later security hotfixes or cumulative hotfixes that came out since then, then you have gotten the fix.) This fix causes CF to create a new UUID-based CFTOKEN, if you turn on this feature at least (and after a restart) when a browser presents a previously created 8-digit cftoken.
2. On the other hand, even if you are running CF 10, or running 8 or 9 and HAVE applied that hotfix, note that if you TURN OFF that fixation protection (by adding the -Dcoldfusion.session.protectfixation=false value to your jvm.config, as discussed in that technote), then you are back to the state that I discuss below.
3. And of course, if you are on CF 8 or 9 and have NOT yet applied that APSB11-04 hotfix (or a later cumulative one that includes it), then you are indeed still vulnerable.

So that leaves still many people who could be affected by this. Even if it seems you may not be, you may want to continue reading this entry to understand what the issue is about, for you and others who may be impacted by it.

[....Continue Reading....]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

• Updating/Hotfixing #ColdFusion 10, 9 and 8: Tips and Traps
• Locking down the #ColdFusion Administrator: Your First Line of Defense Against Hackers

For more details on the talks, or to get the slides once I post them (likely right after the meeting), please see the links for the two sessions above.

And if you may want to attend, please RSVP.

I may offer these later on the Online ColdFusion Meetup or perhaps one of the remaining CF conferences this year, if I may be selected to speak.

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Important hotfix-related notes for ColdFusion 9 and ColdFusion 10

What is this about? and why is it important? Read on below, as the document itself and current links from Adobe don't quite convey its significance, I think. For more perspective, I discuss below both what has happened to many folks after applying ColdFusion security hotfixes in recent years, and how this document helps.

[....Continue Reading....]