Tuesday, March 18, 2014

Offline/Airgapped Adobe ColdFusion Updates

Recently, I tweeted some stuff that got the goat of some prominent ColdFusion gurus.  I am not normally in a mood to attack the things that I love (and I love ColdFusion) but Adobe has been kicking that baby and stuff must be said.  ColdFusion is not secure by default, you should not just install it and hook that server to the Internet.  We, web developers/sysadmins/security people, have grown fat/dumb/happy with modern servers which are updated automagically and are (relatively) secure after install.  Adobe's track record with Flash and PDF should tell us differently, but we install CF and expect it to behave like Apache/PHP or IIS/ASP.NET.  It is not like them, you have to get into the time machine to 2003 and manually lock down the CF server and then manually apply the patches as soon as your Internet facing CF server picks them up.  The CF lockdown guide in all of it 58 pages of wisdom is available here:( http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf )

But what about offline/airgapped servers?  ColdFusion 10 (and I assume 11) can only be updated online.  If you are so unlucky as to have an airgapped CF server then you have to spoof the Adobe update servers.  Here is how you can do that:

1. Download the Updates.xml file from: ( http://download.adobe.com/pub/adobe/coldfusion/xml/updates.xml ) and save it to a thumb drive.

2. Open the downloaded Updates.xml file with notepad (or Sublime Text) and search for the "cfhf_filename" tags.  Each of those is a hotfix you need to download and put onto the thumb drive.  Basically, if you scroll to the top, you will see that the latest hotfix is like "hotfix_013.jar".  You will then enter the url for it into the browser: ( http://download.adobe.com/pub/adobe/coldfusion/hotfix_013.jar ) and save the jar to your thumb drive.  If you know you need to implement older hotfixes, repeat with all of the hotfixes in the Updates.xml file.

3. You will now need to choose a location to host the updates.  Go to the server (don't copy the files yet) and create a folder accessible via a URL. I created a folder on my server which only was open as but there is no harm in putting the updates in your normal document root folder.  No matter where you will place the updates, they must be accessible via a URL (since this is a web server I will assume you know how to set up a folder on a web server and what the URL for that folder will be).  For me this was

4. Don't copy the files yet. Now that you have the folder and know what the URL for that folder will be, edit the updates.xml file (in the editor of your choice) and edit the "cfhf_downloadlink" tag to be the full URL to each of the files once you copy them to the server.  For me this changed from "http://download.adobe.com/pub/adobe/coldfusion/hotfix_013.jar" to "".  Save the updated updates.xml to the thumb drive and copy all the contents to the server folder you created.

5. Open the ColdFusion Administrator console and hit the Server Update tab, and then the Updates item under the main tree.  In the main dialog area, click the settings item in the top tabs.  Toward the bottom of the screen you will see the "Update Site" area, enter your update URL (to include the path to the updated updates.xml file).  Mine is "".  Click Submit Changes.

6. You should then be able to click the "Available Updates" tab on the top, then "Check for Updates" and have the lower window populate with updates to be applied.

The updates appear to be cumulative (I have not fully tested them and the file sizes are confusing if they were cumulative -- they don't grow with each update).  Once I applied Hot Fix 13, the lower hot fixes disappeared from my dialog.  You also need to install the "Mandatory Update" for ColdFusion 10 ( http://helpx.adobe.com/coldfusion/kb/coldfusion-10-mandatory-update.html ) before attempting this process.  Yes you will need to do this for each new hotfix.  Maybe there is a way to manually execute the jar on the server so that you don't have to mess with this update URL mess.

Your mileage may vary, this is an Adobe product after all.  

No comments:

Popular Posts