Entries Tagged as “ Security”
Security | Adobe ColdFusion 10
ColdFusion Enterprise installation includes FIPS compliant RSA BSAFE JCE Crypto Provider. Default algorithm used by this library for random number generation is ECDRBG (A variant of Dual Elliptic Curve). RSA has released an advisory regarding same (ESA-2013-068) listing unsafe random bit generation algorithms.
ColdFusion sets the default random number generator algorithm to FIPS186Random (JVM argument -Dcoldfusion.jsafe.defaultalgo=<algorithm>) which is completely safe to use. So good news is by default your ColdFusion 10 installation is secure. Note that CrypotJ libraries are not available in Standard installation of ColdFusion.
ColdFusion 9 family uses BSafe library 3.6 which doesn’t make use of ECDRBG based algorithms. It uses SHA1PRNG as default random number generation algorithm. There is no impact on coldfusion 9. JVM argument -Dcoldfusion.jsafe.defaultalgo is not available in ColdFusion 9 family.
Following table lists unsafe random bit generation algorithms.
|ECDRBG||Dual EC DRBG (128 Bit)|
|ECDRBG128||Dual EC DRBG (128 Bit Default)|
|ECDRBG192||Dual EC DRBG (192 bit)|
|ECDRBG256||Dual EC DRBG (256 bit)|
Pete from CF community has also blogged about the same here
Security | Adobe ColdFusion | Adobe ColdFusion 10 | Announcements | Hotfix | Updates | web application security
New security update is available for coldfusion versions 9.0, 9.0.1, 9.0.2 and 10.0. This hotfix addresses the security issues specified in the technote here. Here is the link to the security bulletin for this hotfix. It also includes few important bug fixes for coldfusion 10 as specified here.
We recommend locking down your server by following the lock down guide and disable unused features in the production environments.
Security | Adobe ColdFusion | e-seminar | web application security
A security update for ColdFusion is now available for versions 10, 9, 9.0.1, 9.0.2. This hotfix addresses two vulnerabilities mentioned in the security bulletin APSB13-19.
If you are on ColdFusion 10, you will see a new update 11 within the ColdFusion administrator for you to download and install. ColdFusion 10 Update 11 includes an important security fix. It also includes several important bug fixes in addition to support for 64-bit COM interoperability, MySQL 5.6 and SQL Server 2012.
Adobe recommends users to update their product installation with this update. Here's a link to the related security technote.
Security | Adobe ColdFusion 10 | web application development
There have been a couple of posts describing the vulnerability using the websocket functionality in ColdFusion 10. The Adobe Product Security Incident Response Team (PSIRT) is aware of this issue and is actively engaged with the ColdFusion Product Team to release a fix. Adobe PSIRT is not aware of this issue being exploited in the wild.
There will be a new update released soon that directly prevents the ability to invoke non-remote methods on the CFC using Websockets.