Critical update for ColdFusion 10 and earlier released : May 2013

A security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2. This hot-fix addresses issues reported in Advisory 13-03

If you are on ColdFusion 10, you will see a new update 10 within the ColdFusion administrator for you to download and install. Adobe recommends users update their product installation with this update. Here's a link to the related security bulletin.

As an additional precaution, we recommend commenting RDS servlet in web.xml

It highly recommended that all public facing servers are locked down properly to prevent against unknown attacks.Recently we have seen increased number of attacks on Administrator or RDS functionality of ColdFusion. These are internal components and are meant to be kept blocked for any external access. A lot of attacks will be prevented and will fail if the servers are properly locked down. Complete instructions for protecting server can be found accessed here. ColdFusion 10 Lockdown Guide, ColdFusion 9 Lockdown Guide

ColdFusion has added a lot of new functionality to secure applications and has improved security in general, due caution is warranted to secure the server installation and internal applications to prevent security attacks.

Security HotFix for ColdFusion 9 and above- April 2013

An important security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2.

If you are on ColdFusion 10, you will see a new update 9 within the ColdFusion administrator for you to download and install.

Adobe recommends users update their product installation with this update. Here's a link to the related security bulletin.

Note: It is recommended that, request related functionality is not used with CFThread. 

Critical Security update available for ColdFusion 9 and above

A critical update is released today for ColdFusion 9 and above. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin. 

This update fixes vulnerabilities reported in public advisory released on 4th January 2013. You can find the advisory here. 

The list of CVEs getting addressed are - CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 & , CVE-2013-0632. The hotfix resolves authentication bypass vulnerabilities and information disclosure vulnerability. 

For ColdFusion 10, use updater to get this update. This is update 7 and it contains previous updates for  ColdFusion 10. The details can be found at tech-note here.

Personally I highly recommend securing every public facing server (including unsupported versions). Access to internal components like Administrator, CFCExplorer, AdminAPI etc. should be blocked for any unwanted access or should be under IP address restriction. Adding link for reference to Lockdown guides here. coldFusion 9 Lockdown Guide & ColdFusion 10 Lockdown Guide.

Security HotFix for ColdFusion 9 and above- December 2012

A priority 2 update addressing an important vulnerability in ColdFusion 9 and above is released today. Adobe recommends to update the ColdFusion servers. Here is the link for security bulletin. 

This hot fix resolves a vulnerability which could result in a sandbox permissions violation in a shared hosting environment - CVE-2012-5676. As a result to this fix named application scope will not be available in servlet context. This might affect applications using JSP interoperability. 

In case you want to revert to old behavior you can add JVM flag                                                             -Dcoldfusion.allowappdatainservletcontext=true

For ColdFusion 10, use updater to get this update. This is update 6 and it contains previous updates for  ColdFusion 10.
The details can be found at tech-note here.