Sunday, 30 August 2015

ColdFusion: exactly what you are installing when you install this recent security "hot fix"

Adobe recently released a security fix for a security issue in ColdFusion's Flash Remoting services. It impacts all versions of ColdFusion which ship with Flash Remoting (that's at least ColdFusion 9 through ColdFusion 11, but possibly older versions too). Only CF10 and CF11 have been patched, although Piyush claims to have instructions for patching CF9 although is not being helpful about sharing this info with the ColdFusion community for some reason.

This morning I read an article from ZDNet ("Adobe issues hotfix patch for ColdFusion vulnerability") wherein Adobe appear to have claimed that this fix is a "A hotfix, otherwise known as a Quick Fix Engineering update (QFE update), is a lightweight software patch". This is somewhat of a misrepresentation of reality on the part of either Adobe or ZDNet. I suspect ZDNet are just reporting what Adobe told them.

The "patch" that was released was rolled into all other previous fixes released for ColdFusion, and one does not have the option to simply apply the one-off security fix; one also needs to apply every single other fix Adobe have ever released for the product.

This represents quite a heavy regression-testing burden for anyone thinking of applying the patch. It is not just a matter of installing one small patch and then regression testing a small subset of potential touchpoints in one's CFML application; it means a complete regression testing of everything Adobe have "fixed" in previous patches. And given the ColdFusion Team have a habit of introducing new bugs with these monolithic updates they give us, this is not something that ought to be taken lightly.

To put things in perspective, here is a list of all the fixes shipped with this "quick fix engineering update", for ColdFusion 11:

UpdaterLinkIssue addressed
13777189IIS worker process hangs when IIS website configuration is changed.
13758172First request slow on IIS8 (Windows 8 and Server 2012).
13772978In certain scenarios, when ColdFusion server is hosted behind a firewall, ColdFusion application service does not start.
13785178CFSTOREDPROC is slow when returning many null values.
13759846ODBC Socket Data Source cannot be added on Windows.
13217374Geography/Geometry/HierarchyID data types are not supported.
13518916Assigning null to Boolean property throws an error while saving the object.
2APSB14-23Security fix
33728133Provide status while uninstalling ColdFusion update.
33737579Check for updates' button is not in sync with the notification bulb.
33738861Clicking on "Remove Selected" button in “CF admin > Security > Allowed IP Addresses” gives an error
33738871Updates not displayed correctly in case there are multiple updates available.
33741635Add sentence to “Maximum Number of Cached Queries” description in CF Admin
33741641Archive Wizard step indicators are in the wrong position for PDF services, Archive To Do and Archive summary pages.
33746060Help document showing ColdFusion 10 contents
33747483Clicking on verify button on PDF Services page in the Admin shows the text "YES".
33767633Importing car file from ColdFusion 10 into ColdFusion 11 breaks the installation.
33811279CFCExplorer not working for ColdFusion Interfaces.
33816133System Probe not working. HTTP request returned non-200 status code: Connection Failure.
33827088Update DataDirect driver version from 5.1.1 to 5.1.3.
33712885Name parameter of cfgridcolumn not honored with JS binding in grids.
33712909Grid pagination does not work with JS binding.
33737272Remove hard coded references to /CFIDE/scripts
33741341When using the cfgrid tag with groupField attribute set, grouping by a Boolean type column does not display the values for the each group.
33741397Mask attribute of cfgridcolumn not honored.
33741675Clicking on the delete button in a grid deletes the selected row but results in an error.
33757675cfmap requires /CFIDE in scriptsrc path
33759630Using a CFGRID with a CFC bind fails for an incorrect JavaScript when more than 2 parameters are passed from a form.
33816340Image missing in the context menu for headers in cfgrid.
33741588ID returned by CacheGetAllIDs function for query objects does not work Caching for cache methods like CacheGet, CacheRemove, CacheGetMetadata, CacheIdExists etc.
33846185cacheRemove(cacheGetAllIds()) throws attribute validation exception
33846186cacheRemove()'s exact=false behaves as exact=true if exact ID match is found
33849494CacheRemove throws an exception when one or more queries do not have cacheId attribute
33788135CFExchangemail: the "toID" attribute in the mails retrieved from a mailbox, displays the primary email address even if the mail was sent to an alias. CFExchange
33788148CFExchangemail: The CC, BCC, fromID and toID attributes in a retrieved mail do not display the display names. CFExchange
33756738cfchart style value does not work in ColdFusion 11
33756754cfchart shows legend even when disabled by showlegend="false"
33756789CFChart uses space and border for empty title
33798825CHCHARTSERIES Pie Chart Attribute "datalabelstyle" Has No Effect
33800311CFCHARTSERIES Data Attribute Will Not Produce Pie Chart According to Documentation
33812163Passing json file name as style attribute does not show the chart
33816026showLegend property does not override the property defined in style file
33849389Issues with pie chart when datalabelstyle is set to columnlabel or pattern.
33849267showLegend=true does not show legend on chart.
33824411Cannot override show3D value given in xml with tag-attribute value. The value given in xml style always takes precedence.
33430245Session gets lost on cflocation width J2EE Sessions and Cookies disabled Core Runtime
33753710String member functions break existing code that relies on java.lang.String member functions
33800047setEncoding breaks cffile action=”uploadall” with some empty file fields Core Runtime
33486968Add Support for DB2 10 on Linux and Windows Database
33740190queryAddColumn() casts to bit when preceded by bit column and QoQ had a prefixed ORDER BY
33765663QueryExecute ignores scale property in param struct with cfsqltype of 'cf_sql_decimal'
33779331Error when using Query of Query and SQL statements ending in semicolon
33780222Upgrade PostgreSQL JDBC driver Database
33808734Enable dbvarname by default Database
33738230Using top=x does not the Filtered label for arrays.
33760258Images missing in debug output
33811006cftrace/trace reports incorrect line number
33854765cfdump for an empty array displays empty twice
33333862cfdocument/cfpdf scale="100" shrinks content
33567818Spreadsheetwrite: autosize does not work to re-size columns with datetime values.
33734792PDFs created by cfhtmltopdf are not accessible/tagged
33744503cfhtmltopdfitem doesn't support additional attributes
33744504Naming inconsistency of page number variables – pagenumber and lastpagenumber
33758430cfhtmltopdfitem units of margin attributes
33800030Spreadsheetaddsplitpane does not work when a spreadsheet object is added to an existing file using action = update.
33795400 does not work as expected.
33724983Error in cftextarea and cfselect when setting a value using cfset and adding +1 to it.
33783403ExpandPath returns Incorrect path when used with Mappings in Application.cfc
33845475Grammar error in error message when using the queryGetRow function General Server
33345396Updates already applied from console should be restricted from ColdFusion Administrator
33743165ColdFusion update checks repeatedly for the status if ColdFusion is configured with an external webserver.
33743254After submitting Update URL site, 'Download' and 'Download and Install' buttons do not work.
33743255In WebLogic, Dialog box that pops up after downloading the hotfix does not show any buttons.
33760334Mouse hover to Install button shows text "Download and install" Hot Fix Installer
33772199Remove “max_reuse_connections=250” line from file from non-IIS configurations.
33781603ColdFusion does not start automatically on uBuntu even if the option to start on system init is selected
33816729ColdFusion administrator does not load images due to a conflict in web.config
33734319CFIMAP action GETALL breaks when there is an email attachment with square brackets
33041747Errors raised in onApplicationEnd and onSessionEnd do not show up in the Application log files
33043855PATCH should be supported for the CFHTTP tag
33489021Add includeEmptyFields parameter to ReplaceList (as per ListToArray and others)
33748332CFClient does not support arrayEach() / arrayFilter() / arraySort() / arrayMap() / arrayReduce()
33750734List iteration & member functions all need to expect both a "delimiters" and an "includeEmptyValues" argument.
33752316Support ListChangeDelims() member function
33754589strictNumberValidation setting not reflected in client side CFFORM validation
33754672Prefix-based custom tags work only if cfimport is used outside of cfscript.
33760802CFLocation tag when used in default constructor of Application.cfc throws error
33777301FileUploadAll function does not work with HTML5 multiple attribute
33777403CFLOOP with simple time values no longer works
33780136cfimport in cfscript does not work as documented
33783011Query of Queries giving the wrong result
33818770Elvis operator executes RHS (right hand side) when it doesn't need to.
33820906Add ListRemoveDuplicates for list objects
33845642Passing a CFC object with string property value as "yes" or "no" to serializeJSON function converts the values to true or false
33845963listEach: arguments scope in UDF function (passed to listEach) should contain the information of delimiter and includeEmptyFields
33851922Elvis operator does not maintain case sensitivity
33842370Error including file when it is referenced using a ColdFusion mapping pointing to an IIS virtual directory
33820493CFLOOP on large query record set with more than 65534 records only processes first 65534 records in query
33335509Audit log file should log updater installs/uninstalls
33617930Included CSS file using link tag is not included in packaged mobile code
33734606ReadAsBase64 function in cfclient errors when reading in a URL that starts with content://
33737516REFind gives error when regex containing certain group combination is passed as a pattern
33738100Incorrect result when using duplicate function to operate on a nested structure
33739334structCount shows unexpected output when keys are "b.d" and "b.c"
33739782StructSort doesn’t work as expected when sorting is done on nested struct keys
33742204cfinclude within should support .html file inclusion
33754684Add failure callback handler for invokeCFClientFunction function
33786749Upgrade Apache Cordova library to v3.5.0
33804384QueryExecute params not working in mobile
33828377QueryExecute named params if given as camel casing throw an exception.
33833529Using index variable inside anonymous function called as a parameter to ArrayEach(Member functions) gives undefined index
33744211CFHTTP fails to redirect with POST, PUT, DELETE, or OPTIONS methods
33763348CFHTTP not working with some webservers like and it throws a 404 error.
33796626CFFTP LISTDIR Command Fails against FTP servers that do not allow the SYST command
33835743ORM: Exception while de-serializing persistent object
33760466PDF output truncated by ColdFusion/IIS when passing URL parameters
33514766Problem adding Scheduled Task on system with different format and display settings that runs on Java 7 Scheduler
33787631Axis2 web services can cache unexpectedly.
33790251Unable to connect to web socket over SSL
43337394SerializeJSON() converts name "No" to false in JSON output.
43759721Image functions result in an error on OS X (Mavericks).
43865461Websockets do not work when configured with SSL.
43865484Issue using legend property when specified in a json file.
43910529Issue with Elvis operator after applying Update 3.
43919479Provide an option to disable dbvarname attribute in cfstoredproc tag.
43942257Server Monitor on Jetty and content generated by cfhtmltopdf not accessible on Solaris.
53845476Error when setting the "Allow Administrative Access" option for a user in the security section of the ColdFusion Administrator.
53845479Error when calling the isAdminUser() admin API method of security.cfc.
53851449Error when deploying a ColdFusion application as J2EE Archive on JBOSS Application server (7.1.1)
53855034Unable to set the file overwrite option to false when editing a System Probe.
53866344"UPDATES is undefined in SESSION" error when checking for updates in the Server Update section in the ColdFusion Administrator.
53037144Empty input in CFINPUT causes the CFLAYAOUTAREA to duplicate itself.
53737524Tool-tip does not appear on the first click when using the CFSLIDER tag.
53798028CFGRID with bound field doesn't reset to page 1 when bind field is updated
53852070ColdFusion incorrectly serializes dates using serializeJSON method in different system locales.
53352745Properties with default values are not accessible outside the init function.
53520983validateParams method throws regex parse error when regex contains comma
53699565Unable to set the task Status to "Completed" with CFEXCHANGETASK action="modify".
53705370CFEXCHANGECONTACT does not return more than the default number of contacts when when the MaxRows attribute in CFEXCHANGEFILTER is set to a higher value.
53756964Exchange 2010: The organizer is not correctly set in cfexchangecalendar Event struct.
53761853When the percentcompleted is set to 100 or DateCompleted is set to a past date with CFEXCHANGETASK action="modify", the task status does not change to Completed.
53761602onChange event for CFINPUT does not fire.
53863477CFFORM posts incorrectly to an SES URL.
53797316CFChartSeries Attribute "Colorlist" does not work.
53848704Setting showlegend attribute to false shows legend box
53859367$VALUE$ , $ITEMLABEL$ and $SERIESLABEL$ values for URL attribute in CFCHART does not work with FLASH/HTML format.
53859368CFCHART in Flash or HTML format does not render when ENABLECFOUTPUTONLY attribute is set to true.
53859531CFChart style attribute errors when JSON string is passed.
53860808Flash/HTML format CFCHART generates unexpected URLs if the value of the URL attribute is set to "" or " ".
53554224DirectoryList method does not work as expected when using an S3 path with a trailing slash. ColdFusion Services
53634391getApplicationMetaData method throws a NullPointerException occasionally.
53801082IsValid method incorrectly returns true if the email address ends with a comma.
53849152J2EE sessions in ColdFusion are not maintained in certain cases when using urlSessionFormat method .
53916188structDelete method results in a null pointer exception when deleting CFID/CFTOKEN from cookie scope.
53512854Error connecting to Oracle database when using Oracle Advanced Security
53818587ArrayFind method is not able to search for elements correctly when the array contains Integer or BigInt.
53849591Error when creating an application specific data source when the name of the datasource is in lowercase.
53851961abort throws an exception within iteration member function UDFs.
53158250SpreadSheet formatting methods do not reset formatting attributes in certain cases.
53821299Proxy attributes in CFDOCUMENT tag are ignored.
53842778Numeric boolean values for formatting attributes in spreadsheet functions are not interpreted correctly.
53846110CFHTMLTOPDFITEM errors when used in cfloop.
53923995spreadsheetAddRows method does not write the array elements in the correct order, when the row and column attributes are not specified.
53039708When VFS is disabled the memory associated with RAM file system is not released.
53043111Content-Type is not set appropriately when writing to Amazon S3.
53043657Cannot merge multiple PDFs from ram:// to ram://
53114274File uploaded by CFFILE action "upload" inherits ColdFusion temp directory permission, instead of upload destination directory permission.
53148657fileUpload method does not ignore empty string for filefield.
53226380Amazon S3 metadata is cached by ColdFusion because of which any external change to S3 metadata is not reflected.
53695879The accept attribute of CFFILE doesn't work with Microsoft Word DOCX files
53739708Uploading a large file to a network directory using CFFILE is slow.
53829498FileOpen/fileWrite methods fail when filename contains a % character
53848011Subdirectories are not included in the zip when storepath attribute for CFZIP tag is set to false.
53945665DirectoryList method for an S3 path throws NullPointerException when listInfo argument is set to "query".
53965508StoreGetMetadata method does not return owner details of the bucket.
53818732setDomainCookies="true" does not set domain cookies in websites like
53320414Un-installer does not provide the uninstall option for the non default ColdFusion instances.
53358792WSConfig does not back up all the config files it changes.
53742083CGI.PATH_INFO is not null when default documents are served on IIS.
53758070CGI.HTTP_URL is missing when using IIS.
53816563Requests return Error 400 after a post request has completed successfully.
53853490Error when using the cfcompile.bat
53923565ColdFusion service does not start when J2EE session variables are enabled.
53938296Error when stopping ODBC service with Update 3 and later.
53776450Jar files are not loaded correctly when reloadOnChange is set to true in JavaSettings.
53842365Error when instantiation a Java object is misleading
53863517On a ColdFusion server created by generating an EAR through J2EE archive, accessing the settings summary and scheduled tasks page in the administrator results in a NullPointerException. JEE Deployment
53041684The "includeEmptyValues" argument of listRest method is ignored.
53700163The function gethttpRequestData() fails when the form is posted with encType="multipart/form-data".
53750733listFilter method does not correctly handle multi-char delimiters.
53765527Variable defined in for loop is not available when used in a struct literal in arrayAppend method.
53791747each method does not support ordered arguments.
53792283Calling randomize() with the SHA1PRNG does not create "repeatable number patterns".
53810965arrayFilter method callback does not pass index or array.
53815793structcopy method does not return a copy of form or url.
53818767Serialization of query does not respect case
53836702queryExecute leaks to the variables scope.
53836820queryExecute does not work when used in a thread.
53840570Null coalescing operator sometimes incorrectly returns the second operand.
53842326The output of encrypt method changes with every call if a variable is passed as the key.
53845979structClear method does not clear the form scope.
53851982Callback for structFilter and struct.filter method does not pass the struct.
53852305Typographical error in a member function error message.
53854303isValid method handles null values for eurodate and USdate inconsistently.
53854304isValid method handles null values for integer incorrectly.
53861371Start time and end time in cfloop prints 12.00 AM always.
53909694gethttpRequestData method fails when form is posted with encType="application/octet-stream"
53926197"includeEmptyValues" of listRest method does not return an empty string when passed with a list containing a single element.
53846187writeLog/cflog does not log application name when called within onApplicationEnd().
53861391Add support for arraysort member function.
53401939REFind multiple line mode not supported.
53731533date.diff method returns month difference as 1 when difference is less than a month.
53737514ljustify, rjustify methods give an error when a number is passed as the first argument
53737517Using ReFind for regex having groups gives unexpected output
53738564When structFindValue method is used on an array of structs, the path value of this struct returns incorrect array index.
53738742structget method does not handle arrays correctly.
53740223reReplace method does not work as expected in certain cases.
53859184Multiple CFM references do not get converted to .html references while packaging.
53859257File references with CFM extension in device file APIs do not work in packaged application.
53043375When doing a chttp POST with a ~ (tilde) in the URL, the ~ always gets URLENCODED
53369472When "keep mail connection" check box is checked in administrator, the spool manager does not consider the username/password specified in CFMAIL tag.
53673298Cfftp action putfile failing after processing for secure FTP server
53847737cfimap action=getall removes brackets and any characters between them from the attachment names.
53041790In ORMExecuteQuery() method when you pass the queryOption argument, the unique argument is ignored
53044064IsValid("url", ...) and IsValid("email", ...) do not correctly validate values that use IPv6-based addresses
53858866Rendering report using cfreport throws MalformedReportException on Mac platform
53858955A CFC with a function name of length less than 3 can't be exposed as REST service.
53151872When the scheduled task has a handler and an exception is thrown by the task, exception.log is not updated Scheduler
53854891SerializeJSON on a Java object causes service restart Serialization
53702938ColdFusion instances not showing up in Windows Performance Monitor
53720764Error message with cfindex not detailed enough.
53824890CFSEARCH tag ignores contextBytes parameter
53534348Typographical errors in $cfroot/cfusion/bin/
53853535cfcontent sends corrupt binary data when query string is present with CF11s isapi_redirect.dll
53910257Instances in a cluster do not start after updating to CF 11 update 3 if J2EE session is enabled and the session replication is disabled.
53695114WSDL Generation for CFC with wsversion=1 is very slow with Java 7
53832635CFC can't be exposed as WebService over SSL with Axis 2. The endpoint URL is not set correctly in the generated WSDL.
53836992When a CFC is registered as a WebService, the URL used to register the service is case-sensitive.
6APSB15-21Security fix

That is 239 different "moving parts" that one needs to install along with this recent security "hotfix", which touch almost all the ColdFusion platform.

Applying this fix is not a small undertaking as far as regression testing burden goes, and I think it's bloody irresponsible for Adobe to a) release security hotfixes like this; b) downplay the severity of the undertaking by publicising it as a "lightweight software patch". This level of change is tantamount to a new ColdFusion release.

Also bear in mind that this is for ColdFusion 11 which has only had six updates so far. ColdFusion 10 is now up to 17 updates, so you can imagine the scale of risk involved in apply this "quick fix" to a ColdFusion 10 install.

There's an argument to be made that people ought to have kept up to date with the current patching levels, so this fix is indeed only one change, however this is not reflective of the way the industry tends to work... I mean to say there are still ColdFusion 5 servers out there in production! However if someone has previously not bothered patching their CF10 server, but know they could be affected by this Flash Remoting security hole, they have no choice but to install all these fixes.

This is a professionally irresponsible way for Adobe to go about releasing emergency security fixes for their software. They need to revise their approach here.