Tuesday, January 15, 2013

Critical Security update available for ColdFusion 9 and above

A critical update is released today for ColdFusion 9 and above. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin

This update fixes vulnerabilities reported in public advisory released on 4th January 2013. You can find the advisory here

The list of CVEs getting addressed are - CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 & , CVE-2013-0632. The hotfix resolves authentication bypass vulnerabilities and information disclosure vulnerability. 

For ColdFusion 10, use updater to get this update. This is update 7 and it contains previous updates for  ColdFusion 10. The details can be found at tech-note here.

Personally I highly recommend securing every public facing server (including unsupported versions). Access to internal components like Administrator, CFCExplorer, AdminAPI etc. should be blocked for any unwanted access or should be under IP address restriction. Adding link for reference to Lockdown guides here. coldFusion 9 Lockdown Guide & ColdFusion 10 Lockdown Guide.