[Looking for Charlie's main web site?]

Part 3: Adobe hotfix released for "Serious security threat for ColdFusion servers"

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Adobe has come out with a new security hotfix for a very serious attack on ColdFusion servers which had hit many (perhaps most) CF shops over the past couple of weeks, and it's vital that all shops apply that fix. (Even if you think you've protected yourself in other ways

There is a new Adobe CF blog entry pointing to the new hotfix, and I point that out rather than the technote for the hotfix itself, because as often is the case, there has been some useful discussion related to applying the fix. Indeed, there's a warning I've shared there about a problem (hopefully temporary) with the hotfix file for users of ColdFusion 9.0.2. (Update: the confusion about 9.0.2 is resolved. The technote has been corrected. See the comments in the Adobe blog entry for more details.)

Users of ColdFusion 10, 9.0.2, 9.0.1, and 9.0 should certainly proceed to implement the fix.

I address several questions and other observations about this hotfix below.

[....Continue Reading....]

Part 2: Serious security threat for ColdFusion servers [now covered by a hotfix]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Since I posted my entry earlier today about a Serious security threat for #ColdFusion servers [not now covered by a hotfix], I have had many questions and discussions which lead me to share more info.

At first I was adding these as updates to the previous entry, but I fear that some who may have read it earlier in the day may then miss some of this new info, thus this "Part 2". You will definitely want to read part 1 before proceeding here.

[Update: And since writing this entry 2 weeks ago, Adobe has indeed now come out with a hotfix. I have more to say about that in the new Part 3: Adobe hotfix released for "Serious security threat for #ColdFusion servers". While you should proceed to get that fix in place, you'll likely benefit from reading parts 1, 2, and 3, as there's more discussed than just the thread and fix, itself, which could benefit you down the road.]

Among the new information shared below are such things as how the hack worked (not too much detail, though), how to determine what the exploit may have exposed, how to handle resolving things for many sites via scripting, how to lock down the /adminapi, /administrator, and /componentutils directories, and most important, why you should not skip all this just because "we already block all access to the CFIDE/adminapi" (and /administrator and /componentutils)". There may be exposure you're not considering.

[....Continue Reading....]

Serious security threat for ColdFusion servers [now covered by a hotfix]

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Hey folks, there's a fairly serious security threat out in the wild, and you may want to check if your server's been hit. (It may be old news to some, but for now it's hitting people in the past week or so.) It's been confirmed to have hit at least CF9 (9.01 and 9.0.2) servers, but it seems it would apply to as well to CF10 or down to CF 7, as it leverages the Admin API.

And note that it's NOT one that you're protected against by having applied CF security hotfixes. (Updated Jan 15 2013, as Adobe now has a hotfix for this. More below.)

There's quite a bit for you to consider regarding this recent threat, as I discuss here.

[....Continue Reading....]

How to tell what, if any, hotfixes have been applied to ColdFusion (9 and earlier)

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I often see people struggling with confusion over what hotfixes have been applied to CF. They may wonder "which have we applied?", or worse, they may not have applied any and just don't know "how to know" whether they have. I have good news, but it may not be the answer most would suspect.

The common answer offered is that one should use the "system info" page in the CF Admin, and its available "update level" field.

But I will assert that's not the "right answer" after all, or certainly not the "best answer" to really know what hotfixes (plural) have been applied. Know why? If not, I'll explain here, and I'll show what I would say is the "right" answer to "what hotfixes have you applied?"

[....Continue Reading....]

CF911: Latest CF Security hotfix technote updated (Mar 29) for issue with ColdFusion 8.0.1

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you are running ColdFusion 8.0.1 and may have applied the latest CF Security hotfix (APSB12-06) since it came out Mar 13 2012, note that there was an update to that on Mar 29, 2012.

The good news is that you just need to update the one hotfix jar. While it is discussed in the technote for the hotfix, the note about this update is sadly (currently) at the BOTTOM of the technote. I'll repeat what it says here, to give it some more visibility:

Note - Updated on March 29, 2012

Following bug is reported for ColdFusion 801 against this security bulletin hotfix.

java.lang.NoSuchMethodError Exception is thrown while using cffile upload.

We have updated the hotfix files of ColdFusion 801 to include the fix for the above issue. Users who have already applied the hotfix for ColdFusion 801 can just update the hotfix jar.

I'm pretty sure this is fixing what some found to be a reliance in the hotfix on your having applied one of the specific Cumulative hotfixes, but if someone had not, or if they inadvertently removed the CHF during the process of adding this single one, things would break. I'll note that the HF technote above does say very specifically what jars to remove, when applying the hotfix. Some people in haste instead delete all the hf and chf jars, or delete chf hars when it says to remove only hf jars. They so look similar in name.

I cover this issue of being careful about applying hotfixes (there are other mistakes you can easily make) in another blog entry I did, CF911: Are you finding CF (or CF Admin) busted after applying a hotfix? Three possible reasons.

And before someone chimes in to lament, "this is what's so wrong with the CF hotfix process, that mistakes can be easily made", I cover that too. The short answer is that Adobe is addressing this in CF10, and may even offer something to help us later for CF 8 and 9. We shall see.

Applying CF security hotfixes: do it from oldest to newest (depending!)

Note: This blog post is from 2011. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you may be applying several security hotfixes to a new implementation of CF (or one where none have been applied before), you may wonder if there's any significance to applying them in either chronological order (newest to oldest, or oldest to newest). The technotes don't really clarify this.

Update: Great news. It turns out that just days before I wrote this entry in late 2011, Adobe had in fact addressed and resolved this problem (quietly, I'd say) by making security fixes written from Dec 2011 (apsb11-29) on now have 2 sets of steps, one for if you HAD applied the security hotfix previous to it, and one for if you HAD NOT. And this has proven to be the case for the next few, as I write this update in late 2012. So we can now consider them effectively "cumulative", for those from Dec 2011, on. You need only focus on the latest, and follow either of its 2 provided sets of steps.

That said, I'm not 100% sure if all those from Dec 2011 include all ones prior to that. Has anyone tested things to know?

I'll leave the rest of the note below here for posterity, but stricken out.

[....Continue Reading....]

CF911: Are you finding CF (or CF Admin) busted after applying a hotfix? A few possible reasons

Note: This blog post is from 2011. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Many people have reported that they find after applying certain ColdFusion cumulative hotfixes (CHFs), security hotfixes (SHFs) and hotfixes (HFs) that either CF Admin or perhaps even some feature of CF is busted.

The "good" news is that there are at least a few really common explanations of what may have happened, which I'll explain them here. Once you consider them, you may find either that you can confirm this is what happened (and fix it), or if nothing else you can keep it in mind if you're ever applying them yourself in the future.

[....Continue Reading....]

CFMyths: "If/when I apply Cumulative Hotfixes, I need apply only the latest CHF, right?"

Note: This blog post is from 2010. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
This is the second post in my planned CFMyths series. In the first, I addressed the myth that "When I download CF to install it from scratch, it has the latest fixes/updaters".

Here's the next, related, myth:

True or False: "If/when I apply Cumulative Hotfixes, I need apply only the latest CHF, right?"

For instance, let's say you're currently running CF 9 update 1 or CF 8.0.1 and discover (perhaps due to my last blog entry) that you had never applied any of their associated CHFs. It would seem you should just be able to apply the latest CHF and not bother with anything related to the previous ones, right?

Answer: Well, yes and no.

[....Continue Reading....]

CFMyths: "When I download CF to install it from scratch, it has the latest fixes/updaters"

Note: This blog post is from 2010. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Today I'm starting a new series on CFMyths, some common misconceptions that I find myself often helping correct on lists/forums or with my troubleshooting customers.

First myth up for consideration:

True or false: "If/when I download CF to install it from scratch, the installer has all the latest fixes (updaters, at least)"

Answer: False (generally). For instance, if you download CF9 today (Dec 2010), you still get CF 9.0, released originally in Oct 2009. You don't get the latest updater (9.0.1 as of this writing, released July 2010), though its existence is at least mentioned on the page, nor of course does it then include any hotfixes or cumulative hotfixes.

Why not, you may wonder? I'll explain more in a moment, along with more about hotfixes and updaters as concepts (and where to find them specifically, for each CF release).

[....Continue Reading....]

Get your fill/feeds of Adobe ColdFusion Technotes, Hotfixes, Security Bulletins, and articles

Note: This blog post is from 2008. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Ever wish you could be notified when there's a new CF technote, hotfix, security bulletin, or DevCenter CF article? You can be, whether via your favorite RSS reader or by email (more below). There are feeds for each of the following:

Don't have an RSS feed reader? Get them by email

If you don't have an RSS feed reader, or you simply prefer to receive such things by email, you can. Check out the various RSS-to-Email tools (all free) which I list in my category, "RSS to Email Tools", in my list of over 100 tools and resources for CFers.

Adobe Feeds for Other Products

If you're interested, you can find many other feeds across all Adobe products at http://www.adobe.com/support/rss/.

Beware of older CF feeds

One last FYI: you may find reference on the web to the following old technote URLs, which do still work but have not been updated since CF 7, such as http://weblogs.macromedia.com/product_feeds/archives/coldfusion/index.rdf and this "ColdFusion news" feed.

Copyright ©2019 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting