PROBLEM:
ColdFusion 9.0.1, ColdFusion 9, ColdFusion 8.0.1, and ColdFusion 8 are affected with vulnerabilities mentioned in the security bulletins APSB11-14 and APSB11-15.
ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX (APSB11-14);
ColdFusion integrated/installed with LCDS (APSB11-15)
PLATFORM:
ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX
ABSTRACT:
Vulnerabilities have been identified in ColdFusion 9.0.1 and earlier versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to a cross-site request forgery (CSRF) or a remote denial-of-service (DoS).
Adobe recommends users update their product installation using the instructions provided below.
reference LINKS:
AP Vulnerability ID: APSB11-14
Adobe Security Advisories
AP Vulnerability ID: APSB11-15
ColdFusion Security Hotfix Installation Link
IMPACT ASSESSMENT:
Medium
Discussion:
Unspecified vulnerability in Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 allows remote attackers to cause a denial of service via unknown vectors. CVE-2011-2091
Other references:
Tech Bulletin T-549
CVE-2011-0736
CVE-2011-0737
Impact:
1. Hotfix files contain some of the previous security hotfixes.
2. CSRF protection requires that SessionManagement is enabled. If Session Variables are disabled from Administrator Console, CSRF protection is disabled.
3. If ColdFusion throws an exception "java.io.FileNotFoundException: ../logs/esapiconfig.log" after applying the hot fix, go to /lib/log4j.properties and update absolute path for "esapiconfig.log".
Solution:
Installed the hotfix for ColdFusion 9 or ColdFusion 8 and then upgraded (to ColdFusion 9.0.1 or ColdFusion 8.0.1), ensure that you apply the security hotfix for the update. ColdFusion Security Hotfix
ColdFusion integrated/installed with LCDS