Thursday 27 August 2015

ColdFusion: another security hole has been patched (CF10 and CF11)

G'day:
Just so yer aware, another update for ColdFusion was released this afternoon (UK time). Apparently there's a security hole in ColdFusion's BlazeDS integration which has been fixed. I don't actually know what CF uses BlazeDS for, I have to admit. I don't even know what BlazeDS even is, now that I come to think of it. [quickly googles...]

BlazeDS is a server-based Java remoting and web messaging technology that allows you to connect to back-end distributed data and push data to Adobe Flex and Adobe Integrated Runtime (AIR) Rich Internet applications (RIA).

So no wonder I didn't know what it was.

Anyway, Anit said on the Slack channel that it will on affect you if yer using BlazeDS, so that's probably not most people.

Update:

Seems I've misinterpreted what Anit said, or something, as Rupesh - who is now on the CFML Slack Channel too - has just clarified with this:

Regarding the blazeds 0-day vulnerability that we patched a day back, It seems like there is an impression that the server is not impacted if you are not using blazeds. Your server is not impacted *only* if you have disabled flash remoting. By default it is enabled and hence your server is impacted.

Please make sure to apply this update

The Adobe blog article about it is here: "ColdFusion 11 Update 6 and ColdFusion 10 Update 17 now available". Make sure to subscribe to the comments on that thread to keep yourself up to date with anything "untoward" in the update process. I've not installed it myself yet. Obviously make sure to test the update in your test lab first. Don't just stick it straight on your live boxes. Also bear in mind that CF updates are cumulative, so as well as this particular fix, it'll include all the other bugfixes too, so there's a lot of moving parts that could cause you grief. Regression test thoroughly.

I guess if you're using CF9 or older you're SooL, I'm afraid.

Update re ColdFusion 9:

Piyush has indicated Adobe do have instructions as to how to patch ColdFusion 9 servers, but instead of just posting them like a responsible vendor would do, one has to email him to get them. Groan. However Dave Epler has documented his steps to patch CF9 on his blog: "Manually Patching ColdFusion 9 with APSB15-21 (CVE-2015-3269)". Dave knows what he's doing, so you'll be safe in his hands. Safer than in Adobe's, it would seem.

That's it.

--
Adam