[Looking for Charlie's main web site?]

CF911: Have you updated your #ColdFusion JVM to _24 yet? Important security fix for CF 8/9

Posted At : October 28, 2011 11:06 AM | Posted By : Charlie Arehart
Related Categories: admin, cf911, java, security, troubleshooting
This isn't new info, but you may have missed it. If you're running CF 8 or 9, did you know you can and should update the JVM that came with it? And that you have Adobe's blessing to do this update? This is because of a serious bug in the JVM that is not fixed until 1.6.0.24.

Both CF 9.0 and 9.01 run on older JVMs (and therefore need this update). And are you on CF8? You're not left out: Adobe even has confirmed this update can be applied to CF 8 and 8.01, too!

Update: Since posting this note some have kindly pointed out that Java has been updated beyond update 24, and indeed to Java 7. I did realize that, but didn't mention it simply because u24 is all that Adobe has (for now) certified CF to support. Still, for the sake of completeness, I want to clarify this now and I'll address it more in the final section below.

Old news, but not everyone knows

Someone mentioned today on a list that they'd seen news from Oracle of this important bug (and fix) for the JVM, which can cause someone to crash the JVM using a particular URL string. He also noted that while Oracle had released the fix some months ago, he lamented that "This issue doesn't seem to have gotten too much interest from Adobe."

I explained that in fact Adobe had addressed it, also some months ago.

Adobe's response

Adobe offered a technote on the issue in March 2011.

In fact, they not only confirmed support for (and recommended updating to) the fixed JVM version, 1.6.0_24, but they even (for the first time in years) approved updating to this JVM version for CF 8 and 8.01. Since those ran on very old JVM releases, which had problems not fixed until JVM update 10, this was really good news.

But as his note conveys, word just had not gotten out as much as it could. Beside his thread on that list, I hope now that this blog entry will help reach more people.

More about the bug

If you want to know more about the bug from a CF perspective, check out this blog entry (from several months ago by David Stockton, of cfconsultant.com). He explains the problem/risk as well as shows how to cause the problem (to confirm when it's fixed), as well as some useful extra info on using FusionReactor to help diagnose it.

How to update the JVM for CF

So if you're now persuaded, you may wonder how you go about updating the JVM. You may fear it's like doing open-heart surgery. It's more like getting a mole removed. :-) It could go wrong, but will barely be noticeable if done right.

There are many blog entries that walk through the few simple steps. Find out more from Ryan Stille, Mark Kruger, and Adobe, to name just a few.

While it's not too hard to do, there are just a couple of potential gotchas: be sure to get the JDK not the JRE, and pay attention to the special path format that's needed when pointing to the JVM on Windows.

So if you're on CF and have not yet updated the JVM, seriously consider it.

What about updates beyond u24?

This is an update since I posted the entry above. As you'll see in the comments below, some folks were kind enough to write in and point out that there have been JVM updates since u24.

I did realize that, and do appreciate their wanting to share the info. I'd not mentioned updates beyond 24 simply because I would not propose (myself) that anyone now update beyond the release for which Adobe has certified CF. (At least not until compelling reasons arise and substantial community testing suggests it may be safe, as happened with CF8 and the u10 update. Even then, you are risking being out of bounds for support by Adobe, so should make such a change with caution.)

The whole point of this entry was that u24 HAD in fact received Adobe's blessing, for CF 8 and 9, which was pretty compelling and seemed to have been missed by some when it happened earlier in the year.

Anyway, one more tip: in case anyone may find it hard to locate the older updates (like u24) on the Oracle site, here is a link (which works, at least, for now):

http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html

Again, be sure to get the JDK (development kit) not the JRE (runtime environment) among the options listed there.

Comments (17)

New "ColdFusion 8 developer security guidelines" at Adobe DevCenter

Posted At : October 22, 2007 9:46 PM | Posted By : Charlie Arehart
Related Categories: cf8, security, basics
I haven't seen much mention of this elsewhere, but I happened upon a new 47-page whitepaper called "ColdFusion 8 developer security guidelines", by Erick Lee, Ian Melven, and Sarge Sargent. It's listed in the Adobe Security DevCenter, which shows it having been posted as of today.

Like other whitepapers that have been put together by Adobe, Macromedia, Allaire, and others, this one offers overviews of key concerns along with proposed best practices.

Is it complete? Does it really need to be?

As with any such document, there will be debate among some readers about whether the practices are always really the "best". It's inevitable. But let's give credit that the authors do try to give a rather brief round up of the features, their options, and the impact of choices.

Just as Ben's famous CF "Certification Study Guide" is a quick summary of key things in CFML (and no substitute for the complete ColdFusion documentation or the WACK books), so too would I argue that this guide is a quick summary of important points to consider. Readers would do well to understand the issues completely, both in terms of the generic concerns they raise and the specifics of CFML features and options. For that, the docs and other books would be great resources.

Still, many readers won't have time for that, so despite the fact that some may pick it apart, it will serve a large percent of the community who might otherwise have no knowledge of the concerns and configuration features. For that, we should thank the authors.

Its sections

The document is divided into the following sections: Authentication, Authorization, CFCs, Session Management, Data validation and interpreter injection, Ajax, PDF integration, .NET integration, HTTP, FTP, Error handling and logging, File System, Cryptography, Configuration, Maintance and References.

Earlier editions, and what's updated in the CF8 guide?

While the guide does focus on CF8, there is another version of the document for those running CF7, the "ColdFusion 7 developer security guidelines". It, too, is by 2 of the 3 authors of the other whitepaper, Erick Lee and Sarge Sargent. It's only 33 pages, and it too is listed at the Adobe DevNet Security Developer Center, where it show it having been updated as of Oct 2007.

You might think that the CF8 guide is updated only to refer to things new in CF8, but in fact I find some things in the CF8 guide that are not in the CF7 guide, but are not new for CF7. Perhaps they decided to expand the CF8 guide in ways that they didn't push back down into the CF7 guide (understandable if time was limited). That means that CF7 developers may want to read the later guide, though they'd have to ignore features that are indeed new to CF8.

For instance, I found a discussion of the trusted cache feature only in the CF8 guide (more on that below). I didn't do a careful comparison of what's different.

BTW, I'll add that I found references in searches both on the Adobe site and Google to a version of the security guidelines at a URL that no longer works. Since I couldn't access it, I was unable to determine how this CF7 version was updated (or if it was simply renamed, to distinguish it from the new CF8 version. Perhaps the authors can comment here if they read this entry.)

Where to offer feedback?

That last comment brings up a concern I have with the whitepapers offered on the Adobe site (and the articles offered on the Developer Center, as well, of which I've been an author recently.) There's no place for folks to leave feedback. It would be nice for there to be a place to have discussions about the things written in such whitepapers or articles. (The Devnet articles do offer a feedback link, but it's one way, not an open discussion.)

I'm sure some will want to comment on or trade best practices regarding the topics in this paper. Also, I'd like to share at least one error I found: in the discussion of the trusted cache feature, it's described as, "Enable Trusted cache in production environments. When enabled, ColdFusion will only server requested templates held in its memory cache. This provides performance gains but also prevents ColdFusion from running hacked or invalid templates."

Yikes. I wonder who wrote that (and who missed it during any review).That's not the purpose of trusted cache at all. It's about whether the server should look to disk to see if a template, once compiled and loaded into memory, has changed on disk. The server always only serves (not the typo, too, "will only server") pages held in its memory cache. Using trusted cache is certainly a performance gain, but I really have no idea what the reference is to "hacked or invalid templates". That makes me think the person writing this has a very wrong idea about the feature. But I'm not meaning to rip the guidelines. As I said earlier, I'm sure that many will find them very useful, and since folks rarely read the docs, it's a nice way to condense into 40+ pages some key points. I'll let others comment here about any other concerns they have. At least it will serve as one place to have such discussion. If there's a better place, I'll welcome people pointing to that.

Comments (10)
BlogCFC was created by Raymond Camden. This blog is running version 5.005.

Managed Hosting Services provided by
Managed Dedicated Hosting