Adobe have completed their analysis of the Heartbleed issue in regards to their products, including ColdFusion, and have offered some guidance: "Heartbleed Update".
The relevant bits are as follows:
Some Adobe products and services do not bundle OpenSSL (such asColdFusion** , Experience Manager and Experience Manager On-Demand) but are frequently deployed by customers on-premise or with third party web servers. We advise these customers to test for the Heartbleed vulnerability (CVE-2014-0160) against their deployment and configuration. If necessary, follow the recommendations provided by the OpenSSL security advisory as appropriate.
[...]
** Update: ColdFusion does ship a version of OpenSSL that is not vulnerable to the Heartbleed vulnerability.
I can't help but think that Aaron Foote and Brad Wood had a hand on getting this report updated to reflect reality regarding ColdFusion shipping with OpenSSL libraries:
@bdw429s nice article. Cf9 ships with OpenSSL, but version 0.9.8 - search for ssleay32.dll - I think someone oops'd @coldfusion
— Aaron F (@TransientAaron) April 17, 2014
Brad's blog article: "Adobe Product Security Incident Response Team (PSIRT) On ColdFusion And HeartBleed".after the initial Twitter reports from Adobe ColdFusion Team members that it didn't:
@TransientAaron @bdw429s @dacCfml #ColdFusion does not use OpenSSL, that is the reason you do not see a patch.
— Adobe ColdFusion (@coldfusion) April 16, 2014
@jarede @adobe @dacCfml ColdFusion does not use OpenSSL. If you have configured ColdFusion to support SSL, we recommend you follow the...
— Elishia Dvorak (@elishdvorak) April 11, 2014
I guess it's down to the interpretation of "uses". And to be clear, as per the PSIRT article: the OpenSSL libraries ColdFusion does use are not vulnerable.
I think Adobe took a bit longer than they should have to release this news, but all in all they got their in the end, so that's cool.
What I chiefly find disappointing in all this is the reaction from Rakshith in reaction to efforts on the part of the community to try to extract some accurate information out of him:
RT:@rakshithn @dacCfml @boyzoid @raymondcamden @dfgrumpy "I attach *zero* importance to @dacCfml who's sole motive is to bash Adobe.”
— Adam Cameron (@dacCfml) April 17, 2014
And:
@boyzoid @raymondcamden @dfgrumpy That's because @dacCfml thrives only on bashing Adobe. It is for the entire #ColdFusion community to see.
— Rakshith Naresh (@rakshithn) April 17, 2014
I also feel some of the ColdFusion Community "usual suspects" let themselves down on this issue by being completely in denial that it might perhaps be a good idea for Adobe to clarify this situation, as it perhaps warrants more communication than a coupla vague (and as it turns out not very accurate) Twitter messages from Adobe. I'm pleased Adobe has followed this up.
In other news Railo too took a wee while to comment on this, but their eventual response seems well researched and thorough: "Railo Server and the Heartbleed vulnerability". In contrast to Rakshith's reaction, this was Gert's reaction, after I quizzed him about when their response would present itself:
@dacCfml @bdw429s @TransientAaron We will write a blog entry about this soon
— Gert Franz (@gert_railo) April 16, 2014
The bottom line is Railo's in the clear too.The lesson for both Adobe and Railo here are that when serious security issues like this present themselves, not everyone is expert enough to just "know" that their products aren't effected (this was also suggested by usually-reliable ColdFusion community members), and even if the answer is a simple "no, we don't use that stuff, you're fine", then that messaging is necessary. And the quicker the message gets out there: the better. It was ten days from announcement the vulnerability existed to either Adobe or Railo clarifying, which I can't help but think is "quite a long time"? I dunno... what do you think?
Anyway, it's all good that it's just been a bit of a storm in the CFML teacup.
--
Adam