Issue

Note: This technote and the attachments were updated on 05/21/2010. Review this technote again.

An issue when this security fix was applied with Cumulative Hot Fix 4 for ColdFusion 8.0.1 has been identified and resolved. A naming conflict caused this issue.

Vulnerability CVE-2010-1294, included in this security fix, now prevents unauthorized access to datasources via the Service Factory. This vulnerability possibly caused issues with certain frameworks/applications that were accessing datasources without proper authentication. The fix has been updated to correct these issues by allowing unauthenticated access to only the datasource connection. Details of the datasource are only allowed with authenticated access.

ColdFusion 9.0, 8.0.1 and 8.0 are affected with the issue mentioned in the security bulletin APSB10-11. This technote provides fixes for the security issues along with the installation instructions. 

Solution

Follow the instructions below to apply the fix to the different versions of ColdFusion. Don't apply these fixes to any beta or pre-release version of ColdFusion.

ColdFusion 9 

1. Download hf900-00001.zip and extract hf900-00001.jar.
2. Open the ColdFusion Administrator and select the System Information page by clicking on the "i" icon in the upper-right corner.
3. In the Update File box, enter the full path to the extracted file hf900-00001.jar. You can also use the Browse button to browse to the file and select it. Click Submit.
4. Repeat steps 2 and 3 for each of the instances.
5. Download CFIDE-9.zip.
6. Make a backup of the {CFIDE-Home}\administrator\login.cfm, {CFIDE-Home}\componentutils\login.cfm and {CFIDE-Home}\wizards\common\_logintowizard.cfm files.
7. Extract the files in CFIDE-9.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
8. Repeat steps 6 and 7 if there are other CFIDE directories identified in any other instances.
9. Restart all the ColdFusion instances.

ColdFusion 8.0.1

1. Download hf801-00001.zip and extract hf801-00001.jar.
2. Open the ColdFusion Administrator and select the System Information page by clicking on the "i" icon in the upper-right corner.
3. In the Update File box, enter the full path to the extracted file hf801-00001.jar. You can  also use the Browse button to browse to the file and select it. Click Submit. 
4. Repeat steps 2 and 3 for each of the instances.
5. Download CFIDE-801.zip.
6. Make a backup of the {CFIDE-Home}\administrator\login.cfm, {CFIDE-Home}\componentutils\login.cfm and {CFIDE-Home}\wizards\common\_logintowizard.cfm files.
7. Extract the files in CFIDE-801.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
8. Repeat steps 6 and 7 if there are other CFIDE directories identified in any other instances.
9. Restart all the ColdFusion instances. 

ColdFusion 8

1. Download hf800-00001.zip and extract hf800-00001.jar.
2. Open the ColdFusion Administrator and select the System Information page by clicking on the "i" icon in the upper-right corner.
3. In the Update File box, enter the full path to the extracted file hf800-00001.jar. You can also use the Browse button to browse to the file and select it. Click Submit. 
4. Repeat steps 2 and 3 for each of the instances.
5. Download CFIDE-8.zip.
6. Make a backup of the {CFIDE-Home}\administrator\login.cfm, {CFIDE-Home}\componentutils\login.cfm and {CFIDE-Home}\wizards\common\_logintowizard.cfm files.
7. Extract the files in CFIDE-8.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
8. Repeat steps 6 and 7 if there are other CFIDE directories identified in any other instances.
9. Restart all the ColdFusion instances.