Forta.com - Blog

Comments

Anybody else getting this error on the cfwindow tag and some cf admin operations after applying this hotfix?

Could not initialize class coldfusion.security.ESAPIUtils

# Posted By Hedge | 2/10/11 1:21 PM

Warning! As discussed on Ray's blog, there is a serious problem with this hotfix: You cannot have more than one cfapplication per domain anymore! http://www.coldfusionjedi.com/index.cfm/2011/2/8/S...

# Posted By Nigauw | 2/10/11 3:14 PM

We've reluctantly had to roll back this hotfix as it's caused too many problems. Details on Shilpi's blog: http://shilpikm.blogspot.com/2011/02/security-hot-...

# Posted By Julian Halliwell | 2/16/11 11:34 AM

It's a little scary. We tried to upgrade to the first CF9 patch when it rolled out and it didn't play nicely with SeeFusion and killed all of our datasources. There doesn't seem to be much testing of the hotfixes or patches. I am afraid to do anything to our CF9 boxes now.

# Posted By Dan | 2/16/11 6:33 PM

Hi Ben,

Just fyi.. I just realized this Hotfix isn't mentioned on CF's home page. (www.coldfusion.com)

The previous one (August 10, 2010) is, but the "News" section hasn't been updated to list the current one (February 8, 2011).

Thanks,
-Aaron Neff

# Posted By Aaron Neff | 2/25/11 12:58 AM

Hi Ben,

Sry, not sure who best to contact, but here's another one:

The Cumulative Hotfix 1 (CHF1) for ColdFusion 9.0.1 page (at bottom) says: Products affected ColdFusion 9.0

URL: http://kb2.adobe.com/cps/862/cpsid_86263.html

It should probably say 9.0.1

Thanks,
-Aaron

# Posted By Aaron Neff | 2/25/11 1:16 AM

I am recieving the "Class not found: coldfusion.security.ESAPIUtils" error as well

# Posted By Mark Pekel | 3/4/11 3:35 PM

Yeah we had to roll it back. So now everybody knows about the exploit but we have no way of patching it without breaking something else :(

# Posted By Hedge | 3/7/11 6:10 PM

Happy to report we've identified the problem and the Hotfix is now working for us. In a nutshell: CF will no longer use existing CFID/CFTOKEN cookies when creating new sessions.

I've written up the problem and solution at http://cfsimplicity.com/4/coldfusion-security-hotf...

# Posted By Julian Halliwell | 3/14/11 7:26 AM

If you 're getting the "ClassNotFoundException: coldfusion.security.ESAPIUtils" error, it's because you pulled the same boneheaded move that I did, and tried to apply the CHF to 9.0, when you first need to update to 9.0.1

# Posted By Shannon Hicks | 12/21/11 6:07 PM

@Shannon: I am getting that error, but don't think it is because we are boneheads. The hotfix does say cumulative... obviously not.

Thanks for the post, I would have banged my head against that wall for more than necessary ;)

# Posted By Andrew Bauer | 1/20/12 5:27 AM

I'm getting this same error, and this is the stacktrace:

Object Instantiation Exception.

Class not found: coldfusion.security.ESAPIUtils

The error occurred in C:\work\ColdFusion\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm: line 69
Called from C:\work\ColdFusion\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm: line 4
Called from C:\work\ColdFusion\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm: line 1
Called from C:\work\ColdFusion\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm: line 69
Called from C:\work\ColdFusion\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm: line 4
Called from C:\work\ColdFusion\cf9_u1_final_hotfix\cfusion\wwwroot\CFIDE\administrator\Application.cfm: line 1
-1 : Unable to display error's location in a CFML template.

Note, I'm on a Mac and (obviously) I don't have a C: drive. Does this patch have hard coded values in it for the dev who authored it? WTF?

# Posted By Nolan Dubeau | 2/22/12 9:09 PM

[Add Comment]

ColdFusion Security Hotfix Released