Manually Patching ColdFusion 9 with APSB15-21 (CVE-2015-3269)
So ColdFusion 9 core support ended on December 31, 2014. As such, Adobe has not released any security updates for it since APSB14-23 on October 14, 2014. There was a question regarding the latest security patch, APSB15-21, released for ColdFusion 10 and 11, if it affected ColdFusion 9. The answer was yes,it is affected as well. And apparently Adobe does have a procedure on how to apply the patch~~, if you email and ask for the instructions~~. Honestly, Adobe should just post the instructions, but given that it is no longer covered by core support can understand why they are not.
This post is a collection of my notes and procedure used to manually apply the patch to ColdFusion 9. These steps are not the official Adobe ones. Unofficial Updater 2 was previously run to patch to the last official patch, APSB14-23.
The underlying BlazeDS libraries have not changed since ColdFusion 9.0.2. The exact same files are used in ColdFusion 10 through Update 16 and ColdFusion 11 through Update 5.
ColdFusion 9.0.2
| File | Version | SHA-1 Hash | Function |
|---|---|---|---|
| flex-messaging-common.jar | 4.0.0.14931 | 81eb386a31933aff9819499198fb9945ebb03771 | BlazeDS - Common Library |
| flex-messaging-core.jar | 4.0.0.14931 | d74583ebe8e1fd9651641ca8291d19edf4563335 | BlazeDS - Community Edition |
| flex-messaging-opt.jar | 4.0.0.14931 | 5c91681ca2f719b0a368f61a3f0f22bdb4c9eaaa | BlazeDS - Optional Vendor |
| flex-messaging-proxy.jar | 4.0.0.14931 | b9f28b0916f03432a7011cf6cfb04c2ec45b16af | BlazeDS - Community Edition - Proxy Module |
| flex-messaging-remoting.jar | 4.0.0.14931 | c8771cc64f35457c874b07ccccb010b8631194c9 | BlazeDS - Community Edition - Remoting Module |
ColdFusion 9.0.1
| File | Version | SHA-1 Hash | Function |
|---|---|---|---|
| flex-messaging-common.jar | 4.0.0.20929 | 303b1cb8a04e910d43c9be4894f6d6b7b814a928 | BlazeDS - Common Library |
| flex-messaging-core.jar | 4.0.0.20929 | 31820e6ca453d1c42e602b4bf226711c63f4aa2d | BlazeDS - Community Edition |
| flex-messaging-opt.jar | 4.0.0.14931 | 5c91681ca2f719b0a368f61a3f0f22bdb4c9eaaa | BlazeDS - Optional Vendor |
| flex-messaging-proxy.jar | 4.0.0.14931 | b9f28b0916f03432a7011cf6cfb04c2ec45b16af | BlazeDS - Community Edition - Proxy Module |
| flex-messaging-remoting.jar | 4.0.0.14931 | c8771cc64f35457c874b07ccccb010b8631194c9 | BlazeDS - Community Edition - Remoting Module |
ColdFusion 9.0.0
| File | Version | SHA-1 Hash | Function |
|---|---|---|---|
| flex-messaging-common.jar | 3.3.0.20931 | d84e30b86f7a9236a0fc53e71c838e4b50e4d26d | BlazeDS - Common Library |
| flex-messaging-core.jar | 3.3.0.20931 | a4e9c048d2126af717fb7ca5a375812e436a170d | BlazeDS - Community Edition |
| flex-messaging-opt.jar | 3.2.0.3978 | cbcbbda606c0eafaa290c359341b20f647f8e75c | BlazeDS - Optional Vendor |
| flex-messaging-proxy.jar | 3.2.0.3978 | 00e53347d77c0d5265ad96fecd382019abf582b7 | BlazeDS - Community Edition - Proxy Module |
| flex-messaging-remoting.jar | 3.2.0.3978 | 34082c9ff1a5c3da781a097fd3b2c7a46ecc6e14 | BlazeDS - Community Edition - Remoting Module |
It is possible to update the BlazeDS libraries in ColdFusion 9.0.1 and 9.0.2 from those contained in the ColdFusion 10 Update 17. Here are the steps:
- Stop ColdFusion
- Download ColdFusion 10 Update 17 and verify it
- Backup existing BlazeDS libraries
- Extract needed files from the update to the proper location
- Restart ColdFusion
Below are the commands, executed as root on an Ubuntu server running ColdFusion 9.0.1 installed to /opt/coldfusion9 running as user cfusion.
/opt/coldfusion9/bin/coldfusion stop
mkdir /tmp/cf9-apsb15-21
cd /tmp/cf9-apsb15-21
wget https://cfdownload.adobe.com/pub/adobe/coldfusion/hotfix_017.jar
md5sum hotfix_017.jar
zip blazeds-backup.zip /opt/coldfusion9/lib/flex*
unzip -j hotfix_017.jar Disk1/InstData/Resource1.zip
unzip -j Resource1.zip "\$IA_PROJECT_DIR\$/hotfix/dist_zg_ia_sf.jar"
unzip -j dist_zg_ia_sf.jar cfusion/lib/flex* -d /opt/coldfusion9/lib
chown cfusion:cfusion /opt/coldfusion9/lib/flex*
/opt/coldfusion9/bin/coldfusion start
The steps for Windows are the same, just use 7Zip or similar to extract the files from hotfix_017.jar and place them in the ColdFusion lib directory, typically C:\ColdFusion9\lib.
These steps only deal with updating the BlazeDS libraries, not configuring Flash/Flex remoting as noted in the technote and Adobe ColdFusion 9 Lockdown Guide. Also see Pete Freitag’s post, Disable Flash Remoting on ColdFusion Servers.
Patching ColdFusion 9.0.0 is more problematic because of different version of BlazeDS used. It might be possible to follow the same steps, but did not try since none of the servers I deal with are running ColdFusion 9.0.0.
Regardless of specific version of ColdFusion 9 one is running, upgrading to ColdFusion 10 or 11 is the best options since they are supported by Adobe and receiving security updates.