Security update for ColdFusion 9, 10 and Update 12: November 2013

A security update for ColdFusion 9 and ColdFusion 10 is released on 12th November 2013. It fixes security issues specified in the this bulletin and tech-note. 

If you are on ColdFusion 10, you will see a new update 12 within the ColdFusion administrator. This update includes fix for above mentioned vulnerability as well as few important bug fixes for ColdFusion 10 as specified in the technote here.

Slides & Recording of e-seminar on Security Best Practices for ColdFusion

Recording for e-seminar with Title: Security Best Practices for ColdFusion is available now. See the complete session here.

You can also get the slides here.

Security update for ColdFusion 9, 10 and Update 11: July 2013

A security update for ColdFusion 9 and ColdFusion 10 is released on 9th July. It fixes an important Denial of Service issue for ColdFusion 9 family running on JRun. There is also an update on ColdFusion 10 which fixes critical vulnerability that could permit an attacker to invoke public methods on ColdFusion CFCs using WebSockets. Complete details can be found at this bulletin and tech-note. 

If you are on ColdFusion 10, you will see a new update 11 within the ColdFusion administrator. This update includes fix for above mentioned vulnerability as well as 50+ bug fixes. Complete details of the issues fixed can be found in this tech-note.

Inspiration: Cockroach Wisdom

Recently I came across this story, which gave a different perspective. I would like to share it here. I call it the "Cockroach Wisdom".

At a restaurant, a cockroach suddenly flew from somewhere and sat on a lady. She started screaming out of fear. With a panic stricken face and trembling voice. She started jumping with both her hands desperately trying to get rid of cockroach.

Her reaction was contagious, as everyone in her group also got panicky. 
The lady finally managed to push the cockroach away but... it landed on another person in the group.

Now it was the turn for this other person to continue the drama. The waiter rushed forward to their rescue. 

In the relay of throwing the cockroach  it next fell upon the waiter. The waiter stood firm, composed himself and observed the behavior of cockroach on his shirt.  when he was confident enough, he grabbed it with his fingers and threw it out of the restaurant.

Sipping my coffee and watching the amusement, few thoughts came to my mind and I started wondering was the cockroach responsible for their histrionic behavior? If so why was the waiter not disturbed? He handled it near to perfection, without any chaos. 

It is not the cockroach who created the problem, but the inability of those people to handle the disturbance caused by cockroach is what disturbed those people. 
I realized that, it is not the shouting of my teachers or parents at young age or my spouse that disturbs me, but it's my inability to handle the disturbances caused by their shoutings that disturbs me.

It's not the traffic jams on the road that disturbs me, but my inability to handle the disturbance caused by the traffic jam that disturbs me. 

More than the problem, it's my reaction to the problem that creates chaos in my life. 

This is what i learnt from the story - 
I understood, i should not react in life, i should respond. 

As in this story other people reacted whereas the waiter responded.  reactions are always instinctive whereas responses are always well thought of, just and right to save a situation from going out of hands. One should avoid taking decisions in anger, anxiety, stress or hurry.

Critical update for ColdFusion 10 and earlier released : May 2013

A security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2. This hot-fix addresses issues reported in Advisory 13-03

If you are on ColdFusion 10, you will see a new update 10 within the ColdFusion administrator for you to download and install. Adobe recommends users update their product installation with this update. Here's a link to the related security bulletin.

As an additional precaution, we recommend commenting RDS servlet in web.xml

It highly recommended that all public facing servers are locked down properly to prevent against unknown attacks.Recently we have seen increased number of attacks on Administrator or RDS functionality of ColdFusion. These are internal components and are meant to be kept blocked for any external access. A lot of attacks will be prevented and will fail if the servers are properly locked down. Complete instructions for protecting server can be found accessed here. ColdFusion 10 Lockdown Guide, ColdFusion 9 Lockdown Guide

ColdFusion has added a lot of new functionality to secure applications and has improved security in general, due caution is warranted to secure the server installation and internal applications to prevent security attacks.

Security HotFix for ColdFusion 9 and above- April 2013

An important security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2.

If you are on ColdFusion 10, you will see a new update 9 within the ColdFusion administrator for you to download and install.

Adobe recommends users update their product installation with this update. Here's a link to the related security bulletin.

Note: It is recommended that, request related functionality is not used with CFThread. 

Critical Security update available for ColdFusion 9 and above

A critical update is released today for ColdFusion 9 and above. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin. 

This update fixes vulnerabilities reported in public advisory released on 4th January 2013. You can find the advisory here. 

The list of CVEs getting addressed are - CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 & , CVE-2013-0632. The hotfix resolves authentication bypass vulnerabilities and information disclosure vulnerability. 

For ColdFusion 10, use updater to get this update. This is update 7 and it contains previous updates for  ColdFusion 10. The details can be found at tech-note here.

Personally I highly recommend securing every public facing server (including unsupported versions). Access to internal components like Administrator, CFCExplorer, AdminAPI etc. should be blocked for any unwanted access or should be under IP address restriction. Adding link for reference to Lockdown guides here. coldFusion 9 Lockdown Guide & ColdFusion 10 Lockdown Guide.