ColdFusion Enterprise installation includes FIPS compliant RSA BSAFE JCE Crypto Provider. Default algorithm used by this library for random number generation is ECDRBG (A variant of Dual Elliptic Curve). RSA has released an advisory regarding same (ESA-2013-068) listing unsafe random bit generation algorithms.
ColdFusion sets the default random number generator algorithm to FIPS186Random (JVM argument -Dcoldfusion.jsafe.defaultalgo=<algorithm>) which is completely safe to use. So good news is by default your ColdFusion 10 installation is secure. Note that CrypotJ libraries are not available in Standard installation of ColdFusion.
ColdFusion 9 family uses BSafe library 3.6 which doesn’t make use of ECDRBG based algorithms. It uses SHA1PRNG as default random number generation algorithm. There is no impact on coldfusion 9. JVM argument -Dcoldfusion.jsafe.defaultalgo is not available in ColdFusion 9 family.
Following table lists unsafe random bit generation algorithms.
||Dual EC DRBG (128 Bit)
||Dual EC DRBG (128 Bit Default)
||Dual EC DRBG (192 bit)
||Dual EC DRBG (256 bit)
Pete from CF community has also blogged about the same here
New security update is available for coldfusion versions 9.0, 9.0.1, 9.0.2 and 10.0. This hotfix addresses the security issues specified in the technote here. Here is the link to the security bulletin for this hotfix. It also includes few important bug fixes for coldfusion 10 as specified here.
We recommend locking down your server by following the lock down guide and disable unused features in the production environments.
A security update for ColdFusion is now available for versions 10, 9, 9.0.1, 9.0.2. This hotfix addresses two vulnerabilities mentioned in the security bulletin APSB13-19.
If you are on ColdFusion 10, you will see a new update 11 within the ColdFusion administrator for you to download and install. ColdFusion 10 Update 11 includes an important security fix. It also includes several important bug fixes in addition to support for 64-bit COM interoperability, MySQL 5.6 and SQL Server 2012.
Adobe recommends users to update their product installation with this update. Here's a link to the related security technote.
There have been a couple of posts describing the vulnerability using the websocket functionality in ColdFusion 10. The Adobe Product Security Incident Response Team (PSIRT) is aware of this issue and is actively engaged with the ColdFusion Product Team to release a fix. Adobe PSIRT is not aware of this issue being exploited in the wild.
There will be a new update released soon that directly prevents the ability to invoke non-remote methods on the CFC using Websockets.
[Update: All the technotes ( for CF10, CF9, CF9.0.1 and CF9.0.2) now have an update section to reflect the change that was made. The refreshed CHFs for ColdFusion 9 and the refreshed ColdFusion 10 update 8 contains a fix for the an issue in Google Maps. New CHFs have been released for CF9 and CF9.0.1 – Read the related post here]
Details of cumulative hotfixes are here – 9.0, 9.0.1, 9.0.2
You apply this update using the update mechanism within ColdFusion 10 Administrator.
For more details about the update, refer the link here.
A security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2.
If you are on ColdFusion 10, you will see a new update 6 within the ColdFusion administrator for you to download and install.
Adobe recommends users update their product installation with this update. Here’s a link to the related security bulletin.
Hotfix Installer documentation and technote contains most of the details.
However, if you would like to know more details on how it works or if you are looking for clarifications for doubts that you might have on Hotfix/Update mechanism is available @: More Details on Hotfix Installer
Here’s the recording of my Zeus Preview Session at the Online ColdFusion Meetup.
Thanks for all the great feedback.
Do look forward for an exciting release of ColdFusion.