Inside the Adobe ColdFusion Hotfix for APSB10-11

I examined the latest Adobe ColdFusion Hot Fix (APSB10-11) this morning to 1) see which files have been updated to close security issues, and 2) judge whether my installations are currently vulnerable. The following is a listing of files specific to Adobe ColdFusion 9:

CFIDE/administrator/login.cfmCFIDE/componentutils/login.cfmCFIDE/wizards/common/_logintowizard.cfmshf9000001/coldfusion/AIR/AIRUtil$ISyncManagerException.classshf9000001/coldfusion/AIR/AIRUtil.classshf9000001/coldfusion/orm/EntityQueryTable$InvalidEntityException.classshf9000001/coldfusion/orm/EntityQueryTable.classshf9000001/coldfusion/orm/hibernate/HibernateConfiguration$CFCLocationNotFoundException.class shf9000001/coldfusion/orm/hibernate/HibernateConfiguration$ConfigNotFoundException.class shf9000001/coldfusion/orm/hibernate/HibernateConfiguration$ConfigParseException.class shf9000001/coldfusion/orm/hibernate/HibernateConfiguration$DatasourceNotFoundException.class shf9000001/coldfusion/orm/hibernate/HibernateConfiguration$DatasourceUndefinedException.class shf9000001/coldfusion/orm/hibernate/HibernateConfiguration$DuplicateEntityNameException.class shf9000001/coldfusion/orm/hibernate/HibernateConfiguration$MappingGenerationException.class shf9000001/coldfusion/orm/hibernate/HibernateConfiguration$MyFileFilter.class shf9000001/coldfusion/orm/hibernate/HibernateConfiguration$SchemaExportException.classshf9000001/coldfusion/orm/hibernate/HibernateConfiguration.class shf9000001/coldfusion/rds/RdsRequestImpl.classshf9000001/coldfusion/rds/RdsResponseImpl.classshf9000001/coldfusion/rds/RdsServlet.classshf9000001/coldfusion/runtime/JSONUtils$1.classshf9000001/coldfusion/runtime/JSONUtils$JSONParseException.classshf9000001/coldfusion/runtime/JSONUtils$JSONParseInvalidCharException.class shf9000001/coldfusion/runtime/JSONUtils$JSONParseInvalidCharsException.class shf9000001/coldfusion/runtime/JSONUtils$JSONParseInvalidTypeException.class shf9000001/coldfusion/runtime/JSONUtils$JSONParseInvalidUnicodeSequenceException.class shf9000001/coldfusion/runtime/JSONUtils$JSONParseOverflowException.classshf9000001/coldfusion/runtime/JSONUtils$JsonQuery.classshf9000001/coldfusion/runtime/JSONUtils$JSONSerializeBinaryException.class shf9000001/coldfusion/runtime/JSONUtils$JSONSerializeComplexJavaException.classshf9000001/coldfusion/runtime/JSONUtils$ParserState.classshf9000001/coldfusion/runtime/JSONUtils$SerializerState.classshf9000001/coldfusion/runtime/JSONUtils.classshf9000001/coldfusion/server/DataSourceService.classshf9000001/coldfusion/sql/DataSourceFactory$DataSourceException.classshf9000001/coldfusion/sql/DataSourceFactory.classshf9000001/coldfusion/sql/DataSrcImpl$ConnectionCache.classshf9000001/coldfusion/sql/DataSrcImpl.classshf9000001/coldfusion/sql/Executive$1.classshf9000001/coldfusion/sql/Executive$ConnectionVerificationFailedException.class shf9000001/coldfusion/sql/Executive$DataSourceAccessDeniedException.classshf9000001/coldfusion/sql/Executive.class

When doing a ColdFusion install, I do not expose the CFIDE directory. If the files in CFIDE/scripts are needed, I copy those to another location and create a web server alias. The update JAR contains files from several areas of the application server, but nothing shocking. Interestingly, the original distribution version of the CFIDE/wizards/common/_logintowizard.cfm is not pre-compiled, whereas the version in the hotfix is. Out of curiosity, I decompiled the original and replacement versions and compared the resulting Java source. Without reformatting the result to a readable form, it's hard to tell exactly what changed -- something I don't have the time to do.