[Looking for Charlie's main web site?]

CF security update (March 1 2019), part 2: further details, prevention, and more

This is my part 2 post which follows onto the Part 1, released the night of March 1, when the new CF updates were released as an emergency update. If you've not yet read that, do that first, to get some basic info and needed context for what follows.

And if you HAVE already read part 1, if it was before Saturday morning, do go back and reread it. I had added some important info that I thought shouldn't wait to Part 2, which I knew could take me a while. See especially the sections there, "A brief introduction to the vulnerability and the fix", "Should you be worried?", and "What if you can't apply the update immediately, and can't wait for part 2?".

And my apologies for the delay in getting part 2 out. For various reasons, including related to additional research work I'm doing on this exploit beyond CF, I was unable to post this then. Better late than never, I hope. Indeed, I had listed quite a lot in Part 1 that I hoped to cover in a part 2. I don't want to delay getting this out any later, so I will get done today what I can and post that, and carry over into a part 3 (or beyond) whatever remains. There are some natural breaks, fortunately. Thanks for your patience.

Following are what I cover here in Part 2:

  • More detail about the vulnerability and what was "fixed"
  • Wouldn't an antivirus package on the server detect this sort of trojan?
  • How to add further protection from it (especially if you may be unable to implement the update for some reason)
  • Considering running a security scan of your CFML code
  • Consider implementing a web application firewall
  • How to prevent execution of the files used in the attack, if they may already be on your server
  • Another benefit of applying the latest updates
  • What about Lucee?

[....Continue Reading....]

Urgent CF security update released March 1 2019, for CF11/2016/2018, Part 1

This is an urgent announcement to ColdFusion users: Adobe has released a security update today, March 1 2019, for CF 11 update 18, CF2016 update 10, and 2018 update 3.

All CF shops are urged to install this update immediately, to implement new protections against a known attack happening in the wild. It's identified in the associated Adobe Product Security Bulletin, APSB19-14, as a priority 1 critical vulnerability.

I will add that I can vouch personally for the significance of the vulnerability, as I reported it to the Adobe Product Security Incident Response Team (PSIRT), and I proposed the fix which was implemented. (I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don't want this to happen to you.) I plan to share much more in a part 2 post (now posted, but do see below for the context it builds upon).

(In the meantime, I have tweaked this part 1 since originally posting it, to share more here.)

[....Continue Reading....]

Are you still running CF11? Beware its countdown clock is ticking

For those of you running ColdFusion 11, did you know that the countdown clock is ticking toward its end of support by Adobe?

After April 30, 2019, Adobe will no longer provide any updates for CF11, so there will be no security patches or hot fixes for CF 11 after that. Of course, updates for CF2016 will indeed continue into Feb 2021, while CF2018 updates will continue into July 2023. And we could expect CF2020 (when it comes) to by supported into 2025.

How do I know this? Where does Adobe say it? And can one buy support (yes) to "buy extra time to get such CF11 updates beyond April" (no)? And what about CF11 support for Java 11 (no)? Finally, could you use help in moving off CF11 to CF 2016 or 2018? For more on each of these, read on.

[....Continue Reading....]

Fixing CF: "Hey, how come ColdFusion debugging output is not showing up in my localhost testing?"

This is a problem that has troubled many CF users for some years (especially as they have moved to later operating systems): they find that ColdFusion debugging output does NOT appear to them when testing using a URL with "localhost" for the domain name but it DOES appear if they use the 127.0.0.1 ip address instead.

And sure, they could change to just using the ip address, but they wonder why it fails with "localhost" and whether they can fix things so that it does? In this post, I offer the explanation and solution.

In brief, the problem happens when the OS you're working on processes your "localhost" request via ipv6 (if it makes the request as ::1), rather than ipv4 (as 127.0.0.1).
  • One option could be to edit your hosts file to force 127.0.0.1, and that should work
  • But another would be that if you knew about your localhost calling with the ipv6 address of ::1, you should be able to add that to your CF Admin "debugging ip addresses list" (or use its "add current") button. But you will find that if you try that, it will change to "0:0:0:0:0:0:0:1", which does not solve this problem. I have a workaround for that, editing the neo-debug.xml.
Adobe could fix that last problem (and I have filed a bug report, CF-4203295), but until they do, here's a workaround and explanation of things.

And this latter point, of the inability of the Admin to accept ::1--and on the matter of editing that file--is the real focus of this post.

[....Continue Reading....]

On ColdFusion and its support for Java 9, 10, and 11

(This post was written originally in May 2018, 2 months before the release of CF2018 and a few months before the release of Java 11. I have updated it some to reflect changes in that.)

Wondering about CF support for Java 9, 10, or 11, here in 2018 (with respect to CF 2018, CF 2016, CF 11, or earlier)? Did you know that Java 9 and Java 10 each have only 6-month lives? Seriously. And did you know that Java 9 is already no longer updated, while Java 8 still is (into next year), and that Java 11 is due to come out in September 2018? It can be quite confusing if you've not been paying attention to Oracle's new release model.

What does all this mean for Adobe and CF, and CF users? What versions of CF do, do not, and/or may support these various recent Java versions? The good news is that CF 2018 will come out running (and the second public beta does come running) on Java 10 (no word yet on Java 11). But what about other recent CF versions?

Read on for more.

Update: CF2018 did come out as expected in July 2018, and at first it came out supporting Java 10. Then after Java 11 came out in late 2018, Adobe updated both CF2018 and CF2016 in early 2019 to support Java 11 (or you can continue to use Java 8 while it's supported by Oracle). Adobe also announced in Jan 2019 that they had reached an agreement with Oracle licensing Java for commercial use with CF. You may want to read my post on the CF portal discussing further when the April 2019 updates for Java 8 and 11 were released by Oracle.

I leave what I wrote below for posterity/historical perspective.

[....Continue Reading....]

Some recently added (and evolving) documentation of the CF Admin API

You may be aware of the CF Administrator API, a way to implement most CF Administrator features programmatically, by way of a set of CFCs implemented within CF (as introduced in CF7). But have you ever wished for some complete online documentation of the many (18) Admin API CFCs, including their methods and arguments?

If so, I have some very good news--and some not-so-good news. (Some may know that you can find this info also by running the CFC Explorer--more on that in a moment.) The unfortunate news is that it's not yet COMPLETELY documented, but it's still a good start.

[....Continue Reading....]

Why you should think twice about leaving on the "public JRE" option of the Java JDK installer

This is a follow-up to a post I did in late 2014, CF911: 'Help! I've updated the JVM which ColdFusion uses, and now it won't start!'. In that post, I listed about a dozen common problems that befall people who try to update the JVM that CF is using (and it and this post apply as well to Lucee or BlueDragon, or indeed any Java application server).

In this post, I want to elaborate on one more common mistake. Well, mistake may be too strong word. It's about a default option when you run a Java JDK installer (see the other post for more on JDK vs JRE options).

In short, I make the case here for why you should NOT let the JDK installer implement its "public jre" option.

[....Continue Reading....]

How to solve common problems with applying ColdFusion updates (in 10 and above)

While ColdFusion 10 and later releases add a new automated update installation mechanism, what do you do if the update doesn't work? The answer may be simple on the surface, but not obvious to most. (And you'll likely be in panic mode.)

Many find after applying a ColdFusion update that either CF won't start at all, or they can't access the ColdFusion Admin, or some part of CF or their app doesn't work. The problem may be simply that there was an error in the update process CF did, and it may be rather easily confirmed and resolved.

In this post, I share several tips and observations to help resolve this, based on my years of providing remote CF troubleshooting support.

The TLDR version:
  • Check the ColdFusion update log--not logs in the normal CF "logs" folder, but the update's "install" log, and a specific table of successes and errors there. More detail below.
  • And if there ARE errors, try stopping CF (and its related services) yourself, and then try the update again. Again, more below.
  • Finally, if that still fails, then manually apply the update from the command line. I share more on that below also.

If that's enough to get you going, great--especially if you ARE in panic mode! (If the "problem" you need to solve, instead, is that you can't get CF to show you updates because you're behind a firewall preventing outbound internet access, I help with that also, toward the end.)

For most people, though, even those "simple things to do" can prove challenging (and understandably so). And you may find different resources on the web offering perhaps truncated discussions of the topics, which is why I elaborate on things in this post.

And even if you're in a panic, it may take only about 10 minutes to read this whole post. (You can also hire me to help instead, of course. See the link above.) Hope the info to follow is helpful for you.

[....Continue Reading....]

New whitepapers from Adobe on ColdFusion 2016: lockdown, migration, and performance

Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Continuing my series of posts on new things in CF2016 which some may miss,there are some new resources from Adobe about CF 2016, posted in recent days. (I suppose we may see a post from Adobe on their blog at some point, but I wanted to share it in the meantime.)

You can find them listed as "whitepapers" at the bottom of ColdFusion.com (as I view it today, at least), so keep an eye there to see if perhaps any others may ever be added.

Here are the docs, with some observations also about their size and version, if available:

[....Continue Reading....]

ColdFusion 2016: Changes in the CF Administrator

Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
As folks continue to explore ColdFusion (2016 Release), aka CF2016, regarding what's new or changed, I thought I'd put together a listing of what has changed in the CF Admin specifically. This is another in a series of posts I started last week on CF2016.

[....Continue Reading....]

More Entries

Copyright ©2019 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting