ColdFusion Security Updates

We have already discussed on security update APSB13-19 in our previous post. Below are the details of ColdFusion 10 Update 11 (which includes APSB13-19) and what it fixes. Secure your ColdFusion Application / Severs before they are exploited because of these vulnerabilities.

What’s covered in ColdFusion 10 Update 11

ColdFusion 10 Update 11 (release date: July 9th, 2013) includes support for 64-bit COM interoperability, Microsoft SQL Server 2012 and MySQL 5.6 in addition to several important bug fixes as well. It includes all the bug fixes from previous updates of ColdFusion 10. This update also addresses a vulnerability mentioned in the security bulletin APSB13-19.

Note:

This update is specific to ColdFusion 10 only.

Issues fixed

Bug #TitleProduct Area
3331802Error accessing Server Updates page in the ColdFusion Administrator after disabling “enable session variables”Administrator
3338825SerializeJSON casts multiple zero values as number instead of stringAJAX
3322342SerializeJSON does not preserve case when using a mix of array notation and dot notationAJAX
3148178ColdFusion 10 does not maintain sessions when using the CFFILEUPLOAD action pageAJAX
3369530Frequent key collisions result in ColdFusion returning an incorrect result-set when using a cached query with queryparamsCaching
3327626Error on application startup when using ORM secondary cacheCaching
3503195ColdFusion 9 watermark is shown for charts in ColdFusion 10 Developer editionCharting/Graphing
3040504COM Interoperability with ColdFusion on 64 bit Windows throws 32-bit DLL errorCOM/DCOM
3506758Unable to execute queries on MySQL 5.6Database
3086162Unable to read a file from RAM using CFSPREADSHEET tagDocument Management
3195198CFDIRECTORY throws an exception when it encounters an inaccessible directory during a recursive list action.File Management
3042909CFSPREADSHEET action=”write” cannot be used to write files to the VFSFile Management
3568982instances.xml picked from the wrong location for a non-cfusion instanceHotFix Installer
3519719Users should be notified in case a problem is encountered when applying an update using the ColdFusion AdministratorHotFix Installer
3373350Server Update Notification uses invalid “FROM” email addressHotFix Installer
3367866“Select all” option in ColdFusion updater doesn’t workHotFix Installer
3564451Error applying update on a non-cfusion instance if cfusion instance is not selected.Installation/Config
3340564CGI.ALL_HTTP variable does not exist (IIS, all versions)Installation/Config
3339175“coldfusion status” command fails silently on LinuxInstallation/Config
3482734Bug in shorthand struct notation causes preceding statement to be skippedLanguage
3347145Extension to 3309220 . Change of behaviour from CF 9 when persisting UTC date/timeLanguage
3341284When a struct is created by copying arguments using structCopy, any new key added to it will not show up in the keylist or cfdump.Language
3298179ColdFusion 10 form variable functionality change relating to case of variablesLanguage
3175667SerializeJSON() does not fully serialize array of entities from EntityLoadLanguage
3583147Issue with ORMREload() and Secondary CacheORM Support
3348839Using RestInitApplication(“/mymapping”, “servicename”) results in an exception in the ColdFusion Administrator after server restartREST Services
3348054RestInitApplication does not work in the case of multiple applications if application-specific mappings are usedREST Services
3342142RESTful web services do not correctly handle character encodingREST Services
3575825Archive wizard displays an exception if an attempt is made to archive a task with an event handler but no defined URL.Scheduler
3575011Exception when application tasks are defined without an application name.Scheduler
3366182PauseAll/ResumeAll does not work when there are expired scheduked tasks are presentScheduler
3364661Invoking the event handler for onMisfire does not workScheduler
3362794cfschedule throws an error if list of dates in Exclude attribute contains spaces after the comma delimiterScheduler
3358899Using CFSCHEDULE tag with action=”PauseAll” causes an error if you have chained tasks at the server or application levelScheduler
3335521When an application-mode task is paused via the ColdFusion Administrator, its mode is changed to the application’s name.Scheduler
3218423Migrated scheduled tasks show incorrect informationScheduler
3194042Inconsistent use of underscores in CFSCHEDULES’s result fields and attribute valuesScheduler
3194041Task names become UPPERCASE upon .CAR deploy or server restartScheduler
3179290CAR wizard only archives tasks if mode=”server” and group=”default”Scheduler
3178809Paused tasks misfire upon .CAR deployScheduler
3167859If a task name begins with a special characters (ex: space ) editing the task gives an error error ” on editing the task.Scheduler
3141655Paused tasks are misfired on restart of ColdFusion.Scheduler
APSB13-19Security hotfix addresses a vulnerability that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSocketsSecurity
3488063IIS 404 custom error handler URLs that are .CFM files do not consistently return entire documentWeb Container (Tomcat)
3493943Adding a new instance corrupts commons-daemon-native.tar.gzWeb Container (Tomcat)
3426811CGI.server_port information incorrect when using any type of port forwardingWeb Container (Tomcat)
3531653ColdFusion 10 web services fail in IIS virtual foldersWeb Services
3344353Web services will not be served from https with stock ColdFusion 10 installWeb Services
3342995[ANeff] Bug for: typo in WSPublish() exceptionWeb Socket
3342991[ANeff] Bug for: typo subscribercount_callbackHanlders (dl, not ld) in cfwebsocketChannel.jsWeb Socket
3330785CGI Scope getting reset by websocket handlerWeb Socket
3587627Error when using Web Socket to invoke a CFC function that returns the CGI scopeWeb Socket

See more details here.

If you have any questions or need any help with ColdFusion 10 installation, ColdFusion 10 updates installation or migrating to ColdFusion 10, contact us.

Reference(s): ColdFusion Help / ColdFusion 10 Update 11