Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.Adobe has come out with a new security hotfix for a very serious attack on ColdFusion servers which had hit many (perhaps most) CF shops over the past couple of weeks, and it's vital that all shops apply that fix. (Even if you think you've protected yourself in other ways
There is a new Adobe CF blog entry pointing to the new hotfix, and I point that out rather than the technote for the hotfix itself, because as often is the case, there has been some useful discussion related to applying the fix.
Indeed, there's a warning I've shared there about a problem (hopefully temporary) with the hotfix file for users of ColdFusion 9.0.2. (Update: the confusion about 9.0.2 is resolved. The technote has been corrected. See the comments in the Adobe blog entry for more details.)
Users of ColdFusion 10, 9.0.2, 9.0.1, and 9.0 should certainly proceed to implement the fix.
I address several questions and other observations about this hotfix below.
"Where can I learn more about this hotfix?"
Well, the security bulletin for the hotfix has more information, as does a security bulletin that Adobe posted last week and has updated today. And the bulletin points to a technote which has some more details and the specific steps for applying the hotfix.
Also, some readers will know that I posted two recent blog entries with information about the issue when it was first discovered two weeks ago (before any hotfixes or bulletins had been offered):
- Serious security threat for #ColdFusion servers,
notnow covered by a hotfix (I've renamed the first two entries now that a fix is available)
- Part 2: Serious security threat for #ColdFusion servers,
notnow covered by a hotfix
Of course, my goal with these was not to propagate information that could lead others to exploit the vulnerability, so I had to be careful in what I shared. Also, more has been learned about the issue since then. In particular, note that besides blocking public, unfettered access to the CFIDE/adminapi and /CFIDE/administrator directories, it's become clear that you should also now protect the /CFIDE/componentutils directory (used by the CFC browser which has been in CF since CF 6.)
As I discuss in those entries, the best thing is to make it so these directories either are only accessible on the local server running ColdFusion, or you require some additional web server authentication (besides the ColdFusion Administrator password).
I'll offer still more information and post mortem in a planned (at least) Part 4 blog entry.
"What if I protected those folders already? Do I still need to bother with the hotfix?
I would absolutely recommend that every CF 9 or 10 shop apply the hotfix. As I discuss in the part 2 entry above, there is a way that a site could still expose these directories EVEN THOUGH YOU DO NOT HAVE ANY FOLDER OR VIRTUAL DIRECTORY FOR CFIDE in the site. Adding the hotfix (well, applying it properly) will ensure that the vulnerability cannot be exploited if someone can get past your web server defenses.
Also, since hotfixes are cumulative, applying this latest one will also give you the benefits of the previous ones, of which there have been several for CF 9 and 10.
(I don't see that as a "problem", but rather as Adobe being responsive to close holes when they are found. All software, and especially all web-accessible software, is susceptible to vulnerabilities, as even the recent java browser plugin scare showed.)
"I'm on ColdFusion 8. When will Adobe release a fix for that?"
Sorry, friend. Adobe no longer formally supports ColdFusion 8, as of the release of ColdFusion 10. This is the long-standing pattern for ColdFusion support. This is another good reason to consider moving to ColdFusion 9 or 10. (If you may wonder, "what are the changes in CF10?", as Jimmy Durante used to quip, "I gotta million of 'em". Ok, how about 200? See Charlie Arehart's Ultimate List of 200+ New #ColdFusion 10 Features.)
"I'm running CF 9.0.2. Why shouldn't I apply the fix (yet)?"
I mentioned at the opening that those running ColdFusion 9.0.2 should beware applying the new hotfix.
Sadly, at least in these first few hours since its release, the cf902.zip file pointed to in the technote does NOT included a needed web-inf.zip file that is referred to in the instructions. I fear that many people, who by now may have applied these sort of hotfixes dozens of times, may not even read the note carefully enough to even notice that they are skipping a step.
It's not clear what the implications would be if a shop put the hotfix jar and CFIDE updates in place (which ARE provided in their respective zip files) but did NOT put the updated web-inf files in place. So until Adobe updates the hotfix with the missing zip (again, web-inf.zip, which should be found in cf902.zip), it seems best for 9.0.2 shops to not yet apply the fix (as much as it pains me to say that.) As always, forewarned is forearmed.
When this issue is corrected, I'll edit this entry to strike out this section.
"I have CF10 but don't see the update in the CF Admin. Where can I download it, and how would I apply it?"
This seems to happen for some people with each update (fortunately, it doesn't seem to happen to most.) There are three ways to answer that, with increasing generic usefulness for future fixes:
- First, if you really JUST want the URL to download this one hotfix, it's http://download.adobe.com/pub/adobe/coldfusion/hotfix_007.jar
- Second, if you would like a URL to be able to see all the CF10 hotfix jars, there is a URL for that. Note, though, that it's an xml feed, so you may or may not see the results easily, depending on your browser: http://download.adobe.com/pub/adobe/coldfusion/xml/updates.xml
- Finally, if you want instructions on how to apply that hotfix manually for CF10, or want a LOT MORE information on the CF10 hotfix mechanism in general, see this excellent resource available as an Adobe CF Blog entry: http://blogs.coldfusion.com/post.cfm/coldfusion-hotfix-installation-guide. I like to refer to that as "50 faqs on the CF10 updater". Great job, Krishna.
"I get an error, 'Failed checksum verification', while applying the hotfix on CF10
I'm repeating this "old news" because I suspect there may be lots of shops who may for the very first time be applying any of the CF10 hotfixes. The good news, again, is that they are cumulative, so you'll get all the updates by applying just the latest.
The bad news, if this is your first attempt at any CF10 updates, is that you will get this error, '"Error occurred while downloading the update. Failed checksum verification', because of a very unfortunate problem at adobe that happened right after CF10 came out (though it's not related to CF10, and it's not at all a "CF bug" or "mistake by the CF team").
The solution is simply: you need to apply the "mandatory update" first, and THEN apply any other CF10 updates.
The problem was an issue with Adobe certificate (used for verification of automated downloads for all Adobe software, not just CF). It just happened to have have hit just after CF10 came out, so it looked to many to be a "CF problem".
For more background, see the discussion, especially the comments, in the CF Blog entry on the mandatory update, from the timeframe when it was released.
"I'm scared/annoyed by these security breaches. Why hasn't Adobe done more to protect CF?"
We've been hearing this one a lot more lately. To such folks, I would repeat what I said in the previous two blog entries: Adobe HAS given you the information you need to make CF more secure, in the lockdown guides that have existed for CF10, CF9, and CF8.
Some of the challenges you face are things that they cannot reasonably protect for you, so the guides discuss added measures that you can and should consider. The sad truth is that many who knew about the guides still ignored their recommendations (the old, "it won't happen to me" syndrome), while those who did, and who where hit by the recent exploit, found that either the exploit could access nothing, or it exposed so little that the hackers moved on. There is specific evidence one can look for in their logs to confirm that, as I have done with many folks over the past couple of weeks. Again, I plan to share more about that in a part 4/post mortem entry.
Second, and as important, note that CF10 has specifically been updated for improved security. In fact, one aspect of the recent exploit indeed prevented from working on CF10 servers. There are many aspects of CF10 that are just more secure out of the box, and still others are made more secure by your choice (offered during installation) to enable what's called the "secure profile". For more information, see the CF 10 documentation as well as this article from CF security czar, Shilpi Khariwal: Security improvements in ColdFusion 10 , which itself ends with pointers to the docs and still other resources.
"Can't I just get someone to help take care of this stuff for me?"
You can, indeed. There are two resources I'd like to point out, first my own services, and those of others.
My own consulting services
I didn't mention this in my first two entries on this, because my focus really was just to get the info out ASAP, but I do provide CF server troubleshooting services as an independent consultant. I can help folks remotely (yet no need to provide me remote access), generally very quickly (many problems can be solved in less than an hour), and on-demand (or scheduled). For more on my approach, rates, and even my satisfaction guarantee, see my consulting services page.
Indeed, I was so busy helping my clients (old and new) the past week+ that I just have not had time to write that post-mortem entry, but I hope to do so this week. With the release of the hotfix today, though, I really wanted to get this part 3 out. And as you can see, these are never just quick notes (and certainly far more than could ever be communicated in a tweet, though I did tweet about the hotfix earlier today, as soon as I saw it. Different media for different messages.)
In fact, if I'm ever too busy, or unavailable, or you may want to consider others, I don't begrudge that. In fact, I'll even point you to them, whether for security or general troubleshooting.
Services from others
When it comes to CF security consulting, I point people to Pete Freitag and his company, Foundeo. He's become the go-to guy in the CF community for consulting, and since it's such a specialized area, I have tended to just point people in his direction when they wanted security consulting. (Pete also write the CF 9 and 10 lockdown guides.)
That said, I've learned in this experience that I can certainly help people get a LOT closer to being secured than if they've done nothing at all. And I can certainly help them. I liken it to the difference between seeing a neighborhood clinic and seeing a specialist. The former can certainly help with a lot of important needs, but there's no question that there are times when you'll want to bring in the specialist. :-)
Beyond Pete, I'll note as well that I even have a resource on my site pointing you to still others who can help. See the category CF-oriented Troubleshooting Consultants in my CF411 catalog of over 1700 tools and resources for CFers. Pete's on that list of consultants, too! :-)
Some might call it crazy that I'd share links to my competitors. Others might call it confident. I prefer to let my customers/prospective customers decide, and you can read what they've had to say. :-)
A free CF security scanning service: HackMyCF
Separate from my mention of Pete and Foundeo above, let me point out also that they offer an excellent free service called HackMyCF, which can help you at least assess how much help you need (how vulnerable you are to many important CF security concerns), and can provide you info you need to address the problems yourself (or have someone else help you).
I had mentioned it as a comment in the Part 2 entry, but had not promoted it in the main entry because at the time it did not identify this particular exploit. But Pete has since updated it, so I do want to point it out again.
With the service, you point it to your site, and it will (from the outside) try to detect various vulnerabilities. It's not performing a full-scale scan of your application; it's looking for several high-level things that are often the crux of CF security problems.
Indeed, even though it did not (then) detect this recent vulnerability, it would at least have pointed out any of the many other opportunities for improvement (including many in the lockdown guides), which again for those who had applied them, they might have at least exposed less information if the hackers did exploit this vulnerability.
And if you really like what the HackMyCF service does, note that there is a commercial version of the tool, discussed on the site, whereby you place a probe (a simple CFC) within your site, which then he is able to call, to check on still other vulnerabilities that simply can't be identified "from the outside".
So even if you won't read the lockdown guide, or won't hire anyone to help you, do at least run Pete's free tool against your site. It's fast, free, and won't cause any harm in running.
That said, he does require that you provide an email with a domain on the site you want to test, as a way to confirm you really do represent that site. The email is also used to email you the report, with recommendations and help. You won't be spammed. Don't delay using the tool.
The end (well, of Part 3). More to come
Phew, lots to cover, lots to consider. I think this event, though painful to some, has been a real wake-up call, and for that, we have to see the silver lining in the cloud.
I may come back and move some of these sections into their own blog entry, as some deserve to stand on their own, and may be missed by those who won't wade through all this when looking for that specific question to be answered. We'll see. If I do, of course I will change the appropriate section here to point to that new entry, in context.
Finally, look for part 4 in this series to come soon, I hope.
And let me know your thoughts on the above, and this whole incident. Again, there are pluses and minuses, on all fronts (the bad guys, Adobe's response, my entries here, and so on). Hey, it's a fallen world, which is ours to live in, and to find hope, solace, grace, and fellowship where we can.
"As always, just trying to help."
(I was just going to close with that, unquoted, but I do find myself writing it a lot, to clarify where I'm coming from even when saying things some may not like to hear or might misconstrue. I guess if I had to have a catch phrase, it's not a bad one to adopt!)
For more content like this:
Need more help with problems?
- Signup to get my blog posts by email:
- Follow my blog RSS feed
- View the rest of my blog posts
- View my blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, I can help via my consulting services
- See that for more on how I can help a) over the web, safely and securely, b) usually very quickly, c) teaching you as we go, and d) with satisfaction guaranteed