ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only
By Pete Freitag
There has been some confusion over the ColdFusion web server connector (wsconfig.jar) hotfix CVE-2009-1876 which is part of Adobe Security Bulletin APSB09-12.
Whether or not this hotfix is required on IIS has been a question posed by many. This was finally clarified in comment on Ben Forta's Blog, Adobe Engineer Asha states:
Hotfix CVE-2009-1876 is only if you are using Apache as webserver it is not required if you are using IIS.
Granted it would be nice to have a statement that clear in the Adobe Security Bulletin, regardless I would hold off on trying to install this hotfix if you are running IIS. I've heard reports of IIS getting screwed up.
I've heard other various reports about this hotfix not working properly on Mac OSX 64 bit (it tries to install the 32 bit connector, which won't work if you have 64 bit Apache).
The workaround to using the wsconfig command is to unzip the wsconfig.jar
file, then look in connectors/apache/{your.os}/prebuilt/
(where {your.os}
could be a folder named intel-macosx64
for example) and copy the proper .so
file into your {cf.root}/lib/wsconfig/1
directory (make a backup of existing files first), then restart Apache. Credit for that via Andy Allen (@fuzzyorange) on Twitter.
ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only was first published on August 20, 2009.
If you like reading about coldfusion, hotfix, security, apache, or iis then you might also like:
- Changing the ColdFusion Default ScriptSrc Directory
- Blocking .svn and .git Directories on Apache or IIS
- Setup ColdFusion 9.0.1 Fully Patched
- HackMyCF Updated for APSB11-29 Security Hotfix
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.
CFBreak
The weekly newsletter for the CFML Community
Comments
Surprisingly it worked even though I was totally stumped by the readme file referencing only Apache. Thankfully I took the decision not to apply 1876 to the prd servers. While it's good to get security hotfixes I'm not impressed by Adobe's documentation or the duplicate .jar files. Just 10 minutes more effort on their part would have made all 7 hotfixes less confusing. I hope it hasn't deterred people from applying them.