Security Hotfix APSB10-18 for MX7 ?
I just read about the the APSB10-18 Vulnerability (http://www.adobe.com/support/security/bulletins/apsb10-18.html).
Since it says it is "... identified in ColdFusion 9.0.1 and earlier versions for Windows..." does that mean version 7 has this vulerability as well?
If so, is there a patch for MX7 or do I need to upgrade?
If I need to upgrade, which would be the better choice - 8 or 9?
Many thanks in advance,
Richard
Welll, to answer my own question, after some testing, this is all that is needed to re-enable the validation functionality.
C:\Inetpub\wwwroot\CFIDE\scripts
My concern however is whether deleting all other CFIDE subfolders will take care of this problem, or does the exploit sonehow access other core functionality of Coldfusion.
I'm scared.
Similar Messages
-
Security Hotfix APSB10-04 Breaks our SOLR service
We installed APSB10-04 when we built our new CF9 web servers this past spring.
On our servers the Solr server has never worked. The service will just immediately stop every time it is started with no notification or logging.
Building a lab system a couple of weeks ago, I noticed that Solr stops working when applying the APSB10-04 Security Hotfix.
I presume the problem is with the IP number in the properties node that we are instructed in the hot fix documentation.
<Set name="Host"><SystemProperty naem="jetty.host" default="127.0.0.1"/></Set>
The local loopback ip of 127.0.0.1 does not go anywhere on these servers. But I also tried the boxes specific IP address to no good effect.
Commenting out the line, and the Solr service will start just fine. Added it with either 127.0.0.1 OR 10.104.106.39 and the Solr service will not start.
Any suggestions appreciated
IanI don't know how many times I looked at this, I even posted it here in the original post! But there is a typo in this line:
<Set name="Host"><SystemProperty naem="jetty.host" default="127.0.0.1"/></Set>
Fixing "<SystemProperty naem" to "<SystemProperty name" fixed the problem on this server straight away.
What was really missleading me was that both the development and production servers where suffering the same problem! But it was a completely different and distinct typo on the production server causing the problem there.
<Set name="port"><SystemProperty name="jetty.host" default="127.0.0.1"/></Set>
Fixing '<Set name="port"' to '<Set name="host"' fixed the production server!
Lesson Learned: Cut and Paste WHENEVER POSSIBLE! -
Loop while processing cfm pages after security hotfix APSB10-18 installation
Hi,
Everything is in the title...
I've followed the instructions on http://kb2.adobe.com/cps/857/cpsid_85766.html to fix security issue... but after replacing the two files, my .Cfm pages are no longer accessible...
Is it a known issue or what's wrong ? I've read all the coldfusion server log and found no errors :'(
My server is Centos 5 and my Coldfusion Server is 9.0.1
thanks in advance
FrancoisHave you got a request timeout set in CFAdmin? It seems strange that the request doesn't get cancelled at any point.
If the CPU & RAM aren't reacting to this "looping" at all, do you have any evidence that CF is even receiving the request?
What do you get if you put an HTML file in that subdir, and browse to that?
What happens if you put a bogus CFML tag in test.cfm, eg <cfthiswillnotcompile>, and rehit the page?
Adam -
HI,
I have installed Cumulative Update 12 for SQL Server 2008 R2 SP2 on my SharePoint instances. This was to resolve a known issue faced with the instance. CU12 helped resolve the issue. My company is rather strict regarding security hotfixes. But I am
not sure if this particular hotfix [Security Hotfix (KB2977319)] is required if the instance has CU12 applied.
Tested this on a Lab server, the installation did run fine, the summary log also stated that the KB is applied. But the Build Number did not change. Hence the doubt.
Overall summary:
Final result: Passed
Exit code (Decimal): 0
Exit message: Passed
Start time: 2014-09-06 10:31:21
End time: 2014-09-06 10:55:49
Requested action: Patch
Instance SPNTSQLTRN overall summary:
Final result: Passed
Exit code (Decimal): 0
Exit message: Passed
Start time: 2014-09-06 10:48:08
End time: 2014-09-06 10:55:45
Requested action: Patch
Package properties:
Description: SQL Server Database Services 2008 R2
ProductName: SQL2008
Type: RTM
Version: 10
SPLevel: 2
KBArticle: KB2977319
KBArticleHyperlink: http://support.microsoft.com/?kbid=2977319
PatchType: QFE
AssociatedHotfixBuild: 0
Platform: x64
PatchLevel: 10.52.4321.0
ProductVersion: 10.52.4000.0
GDRReservedRange: 10.50.4001.0:10.50.4199.0;10.50.4200.0:10.50.4250.0
PackageName: SQLServer2008-KB2977319-x64.exe
Installation location: e:\ac2af22d88ee645b5b32b5c178\x64\setup\
Please inform if I need to apply the hotfix on CU12. Thanks in advance.
John SYes you must install Security update mentioned in KB 2977319 it is important for SQL Server to be patches with this security update. Without this it could allow an attacker to compromise your system and gain control over it.
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
My Technet Articles -
Where can I find the latest security hotfix for CF 9.0.2?
ZDNet announces there is a security hotfix for ColdFusion but provides no link to where I can read about it or download it. I go to the Adobe site and look for it by browsing and searching and can't find it. It's been hidden well.
Maybe the ZDNet announcement was made prior to Adobe updating their website? Or maybe I just can't find what is obvious for others.Adobe published it yesterday, you just have to know where to look: http://helpx.adobe.com/security.html is always updated with the latest from the Adobe Security team. More specifically you are looking for this: http://helpx.adobe.com/security/products/coldfusion/apsb14-23.html
Pete Freitag
Foundeo Inc. - Makers of HackMyCF -
I haven't seen so far any Security or Change Log for Shockwave Player 12.1.3.153. Given the Update ID SW12-13153 this seems to be an ordinary update (not a security hotfix with the prefix APSB...). Has anyone seen a change log?
Thanks.As always: no. The last Security Bulletin issued for Shockwave Player was http://helpx.adobe.com/security/products/shockwave/apsb14-10.html (March 13, 2014).
-
Does ColdFusion : Security Bulletin APSB10-11 apply to MX 7.0.2
I contacted adobe phone support and was directed to post my question to the forum because adobe doesn't provide phone support for server products.
So, Does ColdFusion : Security Bulletin APSB10-11 apply to MX 7.0.2?
In the Security Bulleting it reads like it does:
Summary
Important vulnerabilities have been identified in ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX. The vulnerabilities could lead to cross-site scripting and information disclosure.
source: http://www.adobe.com/support/security/bulletins/apsb10-11.html
However, there are no solutions in the technote:
Issue
Note: This technote and the attachments have been updated on 05/13/2010. All ColdFusion users should review the technote again. An issue when this security fix was applied with Cumulative Hot Fix 4 for ColdFusion 8.0.1 has been identified and resolved. The issue was caused by a naming conflict.
ColdFusion 9.0, 8.0.1 and 8.0 are affected with the issue mentioned in the security bulletin APSB10-11. This technote provides fixes for the security issues along with the installation instructions.
source: http://kb2.adobe.com/cps/841/cpsid_84102.html
Additionally, does anyone know if Cold Fusion MX 7.0.2 is a supported product?
Thank you any help will be benifitial.I contacted adobe phone support and was directed to post my question to the forum because adobe doesn't provide phone support for server products.
I have had phone support from them, and they were quite helpful. Do you mean they don't do free phone support? No, they don't.
I cannot believe they suggested you raise an issue on the forum. That's just sh!t. There's no other way of describing that.
Additionally, does anyone know if Cold Fusion MX 7.0.2 is a supported product?
http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63
Only for "Extended support", whatever that is.
[searches]
Hmmm... http://www.adobe.com/support/programs/policies/terms_customer.html:
Extended Support. If version of software held by Customer at time of renewal has been end-of-lifed during the next renewal term, Customer may renew to Extended Support, provided that Extended Support is available for such software version. Information about Software that has been or soon will be end-of-lifed and Extended Support availability dates by product version are published at www.adobe.com/support. If Customer elects to purchase Extended Support, the Annual Support Fee shall be twenty-five (25%) percent of the license fee paid for the Software (if such fee cannot be established, the percentage would be based on the then-current list price of the license fee for the Software), however in no event shall the amount be less than the last renewal prior to renewing under Extended Support.
If extended support is renewed, the renewal fee would be the Annual Support Fee paid for the prior year increased by the applicable Consumer Price Index (CPI)*, for the 12-month period preceding the renewal date. Should Customer upgrade to the next major version of the Software (e.g., upgrade from 4.0 to 5.0), the Annual Support Fee for the upgraded version shall be the lesser of twenty percent (20%) of the then current list price of the license fee for such upgraded version, or the Annual Support Fee for the last renewal prior to renewing under Extended Support increased by the applicable Consumer Price Index (CPI)*, for the 12-month period preceding the renewal date.
So there you go. It's something you'd have to be paying for anyhow, and my reading of that is that it's too late to get it now anyhow.
I think this will also mean that you're definitely out of luck in regards to any sort of patching going on for CFMX7.
Adam -
Security hotfix APSB07-02 installation fails
I have followed the instructions given at
http://www.adobe.com/support/security/bulletins/apsb07-02.html
to apply the security hotfix APSB07-02 to my CF7.0.2 standalone
server, but when entering:
java -Dtrace.ci=1 -jar wsconfig.jar -upgrade -v
into the command prompt as instructed, I get the following
error:
'java' is not recognized as an internal or external
commandAdobe's instructions are rarely correct, you have to be a
mind reader or know the product inside out to decipher them, so I
don't blame you for finding an issue with the instructions.
Anyway, I would try and run the command like this:
drive:\{cfmx_root}\runtime\jre\bin\java -Dtrace.ci=1 -jar
wsconfig.jar -upgrade -v
FROM the directory that the wsconfig.jar file is in. So if
your wsconfig.jar is in the directory {cfmx_root}\runtime\lib, use
cmd prompt to navigate to that directory and then run the above
command line.
Be sure to back up your existing wsconfig.jar file BEFORE
doing anything else. -
CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???
Hello; I have a question regarding the Coldfusion Security Bulletin APSB13-03 for ColdFusion 10, 9.0.2, 9.0.1 and 9.0.
Is this hotfix also availablefor Coldfusion 8.01? We use the Coldfusion 8.01 enterprise version.
Patched on the last available hotfix APSB12-21 -> Security update: Hotfix available for ColdFusion 10 and earlier.
By regulary scanning our systems a finding regarding CVE-2013-0632 was found by the scanners, to resolve with APSB13-03.
Is APSB13-03 available for Coldfusion 8.01? Core support ends 7/31/2012 (the last hotfix for cf 8 wa from 11/2012!)
But extended Support reaches until 7/31/2014.
frankThanks;
You wrote exactly my thoughts )
Mit freundlichen Grüßen
Frank Winkelmann
Siemens AG
Corporate Information Technology
Corporate Automation
CIT CA HS 1 4
Hugo-Junkers-Str. 9
90411 Nürnberg, Deutschland
Tel. Geschäftlich: 091145051290
Tel. Mobil: 015254690615
mailto:[email protected]
Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme; Vorstand: Peter Löscher, Vorsitzender; Roland Busch, Brigitte Ederer, Klaus Helmrich, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen, Michael Süß; Sitz der Gesellschaft: Berlin und München, Deutschland; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684; WEEE-Reg.-Nr. DE 23691322
Von: Adam Cameron. [email protected]
Gesendet: Mittwoch, 29. Mai 2013 12:29
An: Winkelmann, Frank
Betreff: CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???
Re: CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???
created by Adam Cameron.<http://forums.adobe.com/people/Adam+Cameron.> in ColdFusion - View the full discussion<http://forums.adobe.com/message/5361018#5361018 -
Security hotfix APSB11-04 - CF8 and log4j.properties
Hi,
I have been reviewing the Tech Notes for the security hotfix at http://kb2.adobe.com/cps/890/cpsid_89094.html which for CF 8.01 talks about backing up and replacing the log4j.properties file. I can't locate this on any of our CF 8.01 servers, so wondering if this is a mistake in the tech note and should have only applied to CF 9. Can I skip the step all together or do I still need to copy the file from the downloaded hotfix to the suggested location?
Thanks
MeintHi Meint,
My CF8.0.1 does not have log4j.properties file either tho CF9.0.1 has.
HTH, Carl. -
Coldfusion Security hotfix hf901-00002 - esapiconfig log error
Just patched two new CENTOS 5.5 servers running jrun/CF EE 901 installs. Start up trace message throws errors for:
java.io.FileNotFoundException: ../logs/esapiconfig.log affecting log4j
Manually added the missing log file - still no joy.
Any ideas?The security hotfix was updated on March 7th, see http://www.petefreitag.com/item/787.cfm I think the update resolves this issue
-
i have 26 dollars and want to buy an app for .99 it says i need to answer security questions but i for got the answers am i able to reset those questions or i can't
If you have a rescue email address (which is not the same thing as an alternate email address) set up on your account then the steps half-way down this page give you a reset link on your account : http://support.apple.com/kb/HT5312
If you don't have a rescue email address (you won't be able to add one until you can answer 2 of your questions) then you will need to contact iTunes Support / Apple to get the questions reset.
Contacting Apple about account security : http://support.apple.com/kb/HT5699
When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down the HT5312 link above to add a rescue email address for potential future use -
Hello,
We have requirement to modify Advanced Security Settings (Audit Settings for folders) on windows 2008. I am looking for a command which does this job.
I know, using group policies I can do this; in fact I had done this using group policies. However, I need to do this on number of servers which are not in domain. There are around 15 folders on which I need to enable Auditing; manual editing folder advanced
permissions is a cumbersome job. Hence, I am looking for a command line options.
I need to know how command can be utilised to enable Audit option on a folder. Please share a command which can do this; once I get the command, I will create a batch file for other necessary folders. (BTW, this is not a scripting question, I just need to
know the command hence, please do not re-direct me to scripting forum)
Manually through GUI, I am setting following.. snaps are given below
Thanks !You can try using Auditpol.exe: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Thanks but I guess, auditpol ca be used only to manipulate system audit policies. how do I specify a folder and user in auditpol ? I could not find or understand how folder can be included with auditpol command line options.
Thanks ! -
TS1368 I cannot connect to the iTunes Store. I receive Error Code -1202. This problem began yesterday. I have been successfully connecting to the store for months on this PC. I am running Windows 7 and the Windows Security Center. Thanks for any help.
Hello alankilner,
And welcome to Apple Discussions!
Using Proxy: Yes
Try temporarily disabling this setting by following the steps outlined in this Apple support document.
http://support.apple.com/kb/TS1490
B-rock -
Does anyone know how to reset your security questions?? I loaded an itunes gift card on new ipod but when trying to make a purchase, itunes is asking us the incorrect security questions?! (for 1st time purchase) I know the questions are not what I chose because I wrote the questions & answers down when setting up the ipod. Any ideas??!!!
Reset Security Questions
Frequently asked questions about Apple ID
Manage My Apple ID
Or you can email iTunes Support at iTunes Store Support.
If all else fails:
1. Go to: Apple Express Lane;
2. Under Product Categories choose iTunes;
3. Then choose iTunes Store;
4. Then choose Account Management;
5. Now choose iTunes Store Security and answer the bullet questions, then click
Continue;
6. Sign in with your Apple ID and press Continue;
7. Under Contact Options fill out the information and advise iTunes that you would
like your security/challenge questions reset;
8. Click Send/Continue.
You should get a response within 24 hours by email.
In the event you are unsuccessful then contact AppleCare - Contacting Apple for support and service.
Another user had success doing the following:
I got some help from an apple assistant on the phone. It is kind of round about way to get in.
Here is what he said to do and it is working for me...
a. on the device that is asking you for the security questions go to "settings", > "store" >
tap the Apple ID and choose view"Apple ID" and sign in.
b. Tap on payment information and add a credit/debit card of your preference then select
"done", in the upper right corner
c. sign out and back into iTunes on the device by going to "settings"> "store" > tap the
Apple ID and choose "sign-out" > Tap "sign -in" > "use existing Apple ID" and you
should be asked to verify your security code for the credit /debit card and NOT the
security questions.
d. At this time you can remove the card by going back in to edit the payment info and
selecting "none" as the card type then saving the changes by selecting "done". You
should now be able to use your iTunes store credit without answering the security
questions.
It's working for me ...I just have to put in my 3 digit security pin from the credit card I am using.
Good Luck friends!
Maybe you are looking for
-
Several months ago I bought and downloaded Homeland. Earlier this month I bought Dexter Season 7. They have ended up in different directories. My iTunes library is on a NAS drive and Dexter was stored there (where it belongs). For some reason, Homela
-
Hello, Please give me some code with using index acess ( please high light the index)
-
Mail displays a code when sending a picture from Photobooth. Any ideas ?
Hello everyone, I have a problem since I bought my MacBook pro (Os X Lion 10.7.5) : When I am sending a picture from Photobooth by clicking on the "email" icon, the receipient of the mail can't see the picture but just a code. (For example : "ª◊} ÿåä
-
How can I print two sided? Linux, Epson 845
The "print two sided" box is greyed out. I am running Linux on an Epson Workforce 845. I have no problem on a Windows 7 machine.
-
Is there a way to Control Duration (or Roll Rate) of a Title Scene?
I can't seem to find a way to control the duration of a Title Slide. The text lines seem to roll to fast through the scene.