Unofficial Updater 2 Logo

Unofficial Updater 2

The easiest way to patch Adobe ColdFusion 8.0.1 and 9.0.x

Filename:
Unofficial-Updater2.jar
Release Date:
November 13, 2013
MD5 Sum:
3c1a4a2e47364dec126cc878bab03144
Latest Patch:
APSB13-27
Project Location:
GitHub

Introduction

Unofficial Updater 2 (UU2) is an outgrowth of the frustration that came from trying to manually patch Adobe ColdFusion 8.0.1 with the numerous hot fixes and security bulletins that have been published. It is a tool to provide an easy way of consistently applying applicable hot fixes and security bulletins to Adobe ColdFusion 8.0.1 and 9.0.x.

Disclaimers

  1. Use of Unofficial Updater 2 is at your own risk
    • Do not run Unofficial Updater 2 for the first time on a production system
  2. Unofficial Updater 2 is not endorsed by or have any ties to Adobe
  3. Reading Adobe TechNote Important hotfix-related notes for ColdFusion 9 and ColdFusion 10 before running Unofficial Updater 2 is highly recommended
  4. ColdFusion Server/process/instance should not be running when you use Unofficial Updater 2
  5. Unofficial Updater 2 can only be run against Adobe ColdFusion 8.0.1, 9.0.0, 9.0.1, or 9.0.2
  6. Unofficial Updater 2 is updated whenever Adobe releases a new (or changes) a hot fix or security bulletin
  7. Unofficial Updater 2 will need to be downloaded and run again when it is updated to apply all new (or changed) hot fix or security bulletin from Adobe
  8. Unofficial Updater 2 works in most situations/installs, but if you have something non-standard it might not work

What it does

First time you run Unofficial Updater 2, it will download ALL hotfixes and security bulletins from Adobe for both ColdFusion 8.0.1 and 9.0.x. UU2 will create Unofficial-Updater2-with-downloads.jar which contains the downloaded hotfixes and security bulletins. This is done since UU2 can not directly package the updates and will make it easier to patch additional servers without the need of an Internet connection.

Once the downloading is complete, UU2 will asks specific questions about how Adobe ColdFusion is installed. It will then produce backups of any directories it will modify. Finally, it will apply the hotfixes and security bulletins according to the published instructions. If you are running Multi-Server JRun or J2EE installs you will need to run UU2 against each instance.

UU2 only updates files, it does not modify any settings in ColdFusion such as neo-*.xml or jvm.config. The security hotfixes have introduced new jvm flags in jvm.config and changes to neo-*.xml which are documented in the Adobe TechNote Important hotfix-related notes for ColdFusion 9 and ColdFusion 10 and may need to be manually applied after running UU2 depending upon specific configuration needs.

A list of files that Unofficial Updater 2 updates as compared to a clean install of Adobe ColdFusion 8.0.1, 9.0.0, 9.0.1, and 9.0.2 are listed below:

If you have modified files in CFIDE and/or WEB-INF they could be changed due to files contained in the updates from Adobe.

How to use

  1. Download the packaged JAR installer
  2. Stop the ColdFusion Server/process/instance you are going to update
  3. Depending upon your system you might be able to double-click Unofficial-Updater2.jar to run it, otherwise it will need to be run from command line
    • On Windows might need to Run as Administrator for GUI or opening command prompt
    • Installer (auto-detect GUI or text)
      • java -jar Unofficial-Updater2.jar
    • Force GUI Installer
      • java -jar Unofficial-Updater2.jar swing
    • Force Text Installer
      • java -jar Unofficial-Updater2.jar text
    • Text Installer run as cfusion user on Linux/UNIX
      • su -s /bin/sh "cfusion" -c "java -jar Unofficial-Updater2.jar text"
    • Text Installer run as root on Linux/UNIX
      • sudo java -jar Unofficial-Updater2.jar text
    • Once Unofficial-Updater2-with-downloads.jar is created, you can use that instead of Unofficial-Updater2.jar
  4. Walk through the screens putting the appropriate information
    • Be sure to fill the directory locations correctly, Unofficial Updater 2 will try to validate they are correct before letting you proceed to the next step
  5. Finish updater by pressing Apply Updates
  6. On OS X/Linux/UNIX verify (and possibly correct) ownership and permission of the files updated
  7. Repeat process for all instances for Multi-Server JRun or J2EE deployments, starting with step 2

Please see the Wiki: Using Updater 2 for screenshots and walkthrough.

Details

At the core, Unofficial Updater 2 is just an Apache Ant script. Ant was chosen since it could provide cross platform support. The ant script was wrapped with Ant Installer to create a GUI and text based interface which only require Java 1.5+ to be installed.

Backups

Unofficial Updater 2 creates backups of the directories that are modified, but it is HIGHLY recommended that you create your own backups of your ColdFusion installation to restore from in case of a problem. The backups created by UU2 are stored in the directory specified when running UU2 and are named {directory-name}-uu2-{datetime-stamp}.zip

ColdFusion 8.0.1

APSB12-21 was the LAST security hotfix Adobe released for ColdFusion 8.0.1

All hot fixes and security bulletins published as of September 11, 2012 for ColdFusion 8.0.1 are applied except if they were superseded by a newer patch and the following:

Both kb404026 and CVE-2009-1876 require modifications to be done to the system configuration. kb404026 requires ability to modify the Windows registry and CVE-2009-1876 will modify the connector configuration. kb403750 is not installed since it does not seem to resolve all the issues and breaks other things.

ColdFusion 9.0.0

All hot fixes and security bulletins published as of November 12, 2013 for ColdFusion 9.0.0 are applied except if they were superseded by a newer patch and the following:

cpsid_80719 requires modifying jetty.xml which is a system configuration change.

ColdFusion 9.0.1

All hot fixes and security bulletins published as of November 12, 2013 for ColdFusion 9.0.1 are applied except if they were superseded by a newer patch.

ColdFusion 9.0.2

All hot fixes and security bulletins published as of November 12, 2013 for ColdFusion 9.0.2 are applied except if they were superseded by a newer patch.

Additional Notes

Please refer to the various technotes about changes to configuration options since Unofficial Updater 2 only updates files, it does not modify any settings in ColdFusion such as neo-*.xml or jvm.config.

Cumulative Hotfixes for ColdFusion 9.0.x

Security Bulletins

Java Support

It is highly recommended to update the underlying JVM that ColdFusion uses to the latest available Java 6 (1.6.0) version that is available (Update 45) on ColdFusion 8.0.1 or ColdFusion 9.0.x on Mac OS X. Java 7 (1.7.0) is supported for ColdFusion 9.0.x on Windows (32 and 64 bit), Linux (32 and 64 bit), and Solaris (64 bit) after the CHFs released in March 2013 are applied. Again updating to the latest Java 7 (Update 45) is highly recommended.