A security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2. This hot-fix addresses issues reported in Advisory 13-03
If you are on ColdFusion 10, you will see a new update 10 within the ColdFusion administrator for you to download and install. Adobe recommends users update their product installation with this update. Here's a link to the related security bulletin.
As an additional precaution, we recommend commenting RDS servlet in web.xml
It highly recommended that all public facing servers are locked down properly to prevent against unknown attacks.Recently we have seen increased number of attacks on Administrator or RDS functionality of ColdFusion. These are internal components and are meant to be kept blocked for any external access. A lot of attacks will be prevented and will fail if the servers are properly locked down. Complete instructions for protecting server can be found accessed here. ColdFusion 10 Lockdown Guide, ColdFusion 9 Lockdown Guide
ColdFusion has added a lot of new functionality to secure applications and has improved security in general, due caution is warranted to secure the server installation and internal applications to prevent security attacks.
@Shilpi: When can we expect to see an update to the version of Tomcat CF10 is running on (reported as 7.0.23.0 in the administrator)?
ReplyDeleteTomcat is now on 7.0.40 and the versions released in the 18 months between .23 and .40 have addressed a significant number of bugs, performance issues, and security issues (most recently CVE-2013-2071 was addressed in 7.0.40).
(And you might want to fix the spelling of ColdFusion in the title for this post?)
Bump. It's now been 27 months since Tomcat 7.0.23.0 was released. Some PCI scanning vendors are starting to fail ColdFusion installations meaning you cannot use ColdFusion for ecommerce sites accepting payments. Adobe, please update (both the software and the information about when an update will be made).
ReplyDelete[subscribe]
ReplyDelete