Friday 18 April 2014

Official word from Adobe PSIRT re Heartbleed and ColdFusion

Adobe have completed their analysis of the Heartbleed issue in regards to their products, including ColdFusion, and have offered some guidance: "Heartbleed Update".

The relevant bits are as follows:

Some Adobe products and services do not bundle OpenSSL (such as ColdFusion** , Experience Manager and Experience Manager On-Demand) but are frequently deployed by customers on-premise or with third party web servers. We advise these customers to test for the Heartbleed vulnerability (CVE-2014-0160) against their deployment and configuration. If necessary, follow the recommendations provided by the OpenSSL security advisory as appropriate.
** Update: ColdFusion does ship a version of OpenSSL that is not vulnerable to the Heartbleed vulnerability.

I can't help but think that Aaron Foote and Brad Wood had a hand on getting this report updated to reflect reality regarding ColdFusion shipping with OpenSSL libraries:
Brad's blog article: "Adobe Product Security Incident Response Team (PSIRT) On ColdFusion And HeartBleed".

after the initial Twitter reports from Adobe ColdFusion Team members that it didn't:

I guess it's down to the interpretation of "uses". And to be clear, as per the PSIRT article: the OpenSSL libraries ColdFusion does use are not vulnerable.

I think Adobe took a bit longer than they should have to release this news, but all in all they got their in the end, so that's cool.

What I chiefly find disappointing in all this is the reaction from Rakshith in reaction to efforts on the part of the community to try to extract some accurate information out of him:


I also feel some of the ColdFusion Community "usual suspects" let themselves down on this issue by being completely in denial that it might perhaps be a good idea for Adobe to clarify this situation, as it perhaps warrants more communication than a coupla vague (and as it turns out not very accurate) Twitter messages from Adobe. I'm pleased Adobe has followed this up.

In other news Railo too took a wee while to comment on this, but their eventual response seems well researched and thorough: "Railo Server and the Heartbleed vulnerability". In contrast to Rakshith's reaction, this was Gert's reaction, after I quizzed him about when their response would present itself:

The bottom line is Railo's in the clear too.

The lesson for both Adobe and Railo here are that when serious security issues like this present themselves, not everyone is expert enough to just "know" that their products aren't effected (this was also suggested by usually-reliable ColdFusion community members), and even if the answer is a simple "no, we don't use that stuff, you're fine", then that messaging is necessary. And the quicker the message gets out there: the better. It was ten days from announcement the vulnerability existed to either Adobe or Railo clarifying, which I can't help but think is "quite a long time"? I dunno... what do you think?

Anyway, it's all good that it's just been a bit of a storm in the CFML teacup.