An important security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2.

If you are on ColdFusion 10, you will see a new update 9 within the ColdFusion administrator for you to download and install.

Adobe recommends users update their product installation with this update. Here's a link to the related security bulletin.

Note: It is recommended that, request related functionality is not used with CFThread. 

 

32 Comments to “New ColdFusion security update for version 9 and above”

  1. Tim
    Subscribing
  2. Adam Cameron
    Also subscribing. Have installed the CF10 patch on my local machine and it went without hitch.

    I think we need more info on the statement "It is recommended that, request related functionality is not used with CFThread".

    "Request-related functionality"? Isn't pretty much all of ColdFusion "request-related functionality"?

    --
    Adam
  3. Aaron Neff
    Also subscribing and interested in more info on "request-related functionality". What does that actually mean?

    Thanks,
    -Aaron
  4. Wil Genovese
    Yeah that! I would love to know exactly what that statement means too.
  5. Laura Hansen
    ditto on the others, need to know what this request mumbo jumbo is about before we potentially break our app or have to update all threads.
  6. Ron Stewart
    Subscribing...
  7. Ken Wilson
    Subscribing
  8. Rupesh
    I completely agree that the post should have been more clear about "request related functionality" and I would try to do that here.

    As you know, CFThread allows you to spawn a new thread do some processing in parallel with the request. This thread can continue to run even after the request has completed. Since this thread is not connected to the HTTP request that spawned it, any operation done from the thread which tries to change something in the HTTP request/response - like setting header, cookie, response code etc would not make sense and should not be done.

    So one should not use cfcookie, cfheader, cfcontent etc inside cfthread as it can cause unpredictable behavior.
  9. Subodh
    Want to know what is the main fix in the update 9
  10. Phil
    Subscribing...
  11. Adam Cameron
    @Rupesh
    Cheers for that: so it's basically a code-quality tip.

    However why are you choosing to offer this tip when releasing a security patch?

    --
    Adam

    PS: can you make sure to get rid of the spam comment above this one.
  12. Tom Lofts
    Hi Shilpi,

    Do ColdFusion security updates ever include stability updates bundled in with them? We've recently hit a bug in ColdFusion 10 relating to the clock change to BST (https://bugbase.adobe.com/index.cfm?event=bug&id=3540118) and upgrading to update 8 didn't resolve the issue, and I'm wondering if we should try upgrading to update 9 straight away.

    Thanks for your time,

    Tom
  13. bobstamp
    Subscribing ....
  14. Luke
    Hi,

    I have updated to CF 10 update 9 and since the clocks changed for the uk to BST I am getting severe errors in the coldfusion logs. https://bugbase.adobe.com/index.cfm?event=bug&id=3540118
  15. Andy Hudson
    Had an issue in 9.0.1 with Excel functionality after applying this update. Got the following error as "SpreadsheetFormatCell" function no longer works...

    coldfusion.excel.Excel.formatCell(Lcoldfusion/excel/ExcelInfo;Lcoldfusion/runtime/Struct;IIZ)V

    java.lang.NoSuchMethodError: coldfusion.excel.Excel.formatCell(Lcoldfusion/excel/ExcelInfo;Lcoldfusion/runtime/Struct;IIZ)V
  16. Adam Cameron
    I don't have 9.0.1 to test on, but I just tested that spreadsheetFormatCell() thing on 9.0.2 (before and after patching) and could not replicate. Can you give us a self-contained repro case to test with?

    --
    Adam
  17. Aaron
    What are the mitagiting factors? Cfide issues are only relevant to people who make the cfide folder publicaly accessible

    Microsoft publish mitigating factors. It is very useful. It lets people know if they are affected or not.


    Also - cfthread - what is going on here. There is clearly an issue. What is it?
  18. Aaron
    alright.

    CFThread. cfheader & cfcookie have been blocked from working inside a cfthread
    I suspect that the request object is not thread-safe and this is the solution for that. If the concern was that the response/header has already been written to the browser than you would see an error similar to issuing cfflush then trying to do a cfcookie/cfheader
    - alternate reason might be related to the CFThread mainintaing a reference to the response object after the "request" has finished

    the other change seems to involve the admin files adminpassword.cfm and userpassword.cfm (or similar, i looked this up earlier today)
    I suspect that if you create an application, login with a username/password using the builtin tags (cflogin?) then cfinclude one of the .cfm files, you are able to pass form values in to the files, the files think you are logged in as an admin, and change the admin password on the server. This would impact hosting environment. - this is, however, speculation, haven't tested yet
  19. Simon Janssens
    Hi,
    I noticed that update 9 changes the ownership of /opt/coldfusion10 to the bin group. Now my user doesn't have read only access to config and log files, which could make things difficult in my environment. I was wondering what people would recommend? Adding the user to the bin group (not sure if that's a no no in nix) or applying the suggestions from the lockdown guide over the top?

    Cheers,
    Simon
  20. Chris
    Subscribing
  21. David Epler
    Could Adobe now move the priority of APSB13-10 from 2 to 1 now that there is a now exploit in the wild?

    http://threatpost.com/en_us/blogs/linode-hacked-through-coldfusion-zero-day-041613
  22. Aaron
    David: Given that linode was exploited by this vunrinlity 2 weeks before this patch was published, it's safe to assume that the cf team created this patch because of the hack - they already knew of a major attack in the while when they assigned this a rating of 2.
  23. David Epler
    @Aaron

    If that was the case it should have been Priority 1 from the get go based upon Adobe documentation.

    http://www.adobe.com/support/security/severity_ratings.html

    Honestly, I fault Linode more than Adobe since they didn't properly secure ColdFusion in accordance to a lockdown guide if the attack originated through CFIDE. And while the previous one, APSB13-03, closed the Scheduled Task's ability to write .cfm files, it is still possible to bypass that inside the ColdFusion Administrator and get code onto the system.

    If it was exploited via code that Linode wrote that was using <cflogin> then it is a different story. But still doesn't change the fact the Security Hotfix should be Priority 1.
  24. Aaron
    David.

    We don't have enough information to blame Linode.
    the CF team have provided NO information (mitigating factors) that let us know if a 100% locked down server would be vulnerable

    If the attack vector is as I suspect; CFIDE is exploited via code (a cf-mapping) and not via HTTP. - in that case the attacker requires some method to get cfm/cfc files on to the server

    If this exploit is accessed via HTTP then that is a different matter.

    The attacker published an IRC log - he makes mention of an old version of phpbb2 - which might have been his vector to place code on to the server to enable the exploit of CF.


    I think it's time the CF team lived up to their hype of better supporting the CF community and provide some REAL answers (or is it ANY answers)
  25. Doug Cain
    @Andy I have also had this problem on 9.0.1 with SpreadsheetFormatCell throwing an error. Added a vote for the bug here: https://bugbase.adobe.com/index.cfm?event=bug&id=3540876
  26. David Epler
    @Aaron,

    You are right, we don't know the true source of what caused Linode.

    My point is that *IF* the attack originated through CFIDE and was fixed with APSB13-10, there were 3 files that changed in APSB13-10 that point to that possibility

    /CFIDE/adminapi/administrator.cfc
    /CFIDE/administrator/security/cfadminpassword.cfm
    /CFIDE/administrator/security/userpassword.cfm

    administrator.cfc is the most probable for the access via HTTP. The changes to administrator.cfc were specifically to the login method again. There is now a call to a new method isFlashRemoting() associated with getPageContext().getFusionContext(). I'm not saying that Flash Remoting *IS* what is being used, just that is what changed in the file between APSB13-03 and APSB13-10.

    Also I don't disagree that they should be more forth coming with details and not leave cryptic notes in the post regarding cfthread.

    Think the bottom line is the state of security regarding ColdFusion installations is still abysmal and that the lockdown guides are not optional at this point, but *MANDATORY* for any installation since they do improve the security of the ColdFusion installation.
  27. Aaron Neff
    Just noting that Update 9's security bulletin has been updated w/ a new description for CVE-2013-1387:

    Old: "This hotfix resolves a vulnerability that could be exploited to impersonate an authenticated user (CVE-2013-1387)."

    New: "This hotfix resolves an information leak that can occur in certain multi-threaded use cases. This issue is not exploitable remotely (CVE-2013-1387)."

    The description for CVE-2013-1388 remains as: "This hotfix resolves a vulnerability that could be exploited by an unauthorized user to gain access to the ColdFusion administrator console (CVE-2013-1388)."

    Thanks,
    -Aaron
  28. Aaron
    Thanks Aaron neff

    I've suspected that issue for a while, today I managed to get 10 minutes to have a better look at the java source of chf9. The cfthread changes have confirmed my fears.

    David: it's been fun but I can not continue to post here due to the severity of the issue. I have an 80% confidence I can craft an exploit for all shared hosting providers and 99% confidence I can craft an exploit for "some" shared hosting providers. And this is AFTER this hot fix has been applied

    a warning

    IF your website accepts CREDIT CARDS do not use SHARED COLDFUSION HOSTING
  29. Adam Cameron
    Aaron (not Neff): I think you comment #28 qualifies as FUD. If you've found a problem: report it to Adobe. Don't post speculative fearmongering. That does nothing to FIX any problem, but it certainly announces there's a potential problem for people to investigate with a view to exploiting. Not a great thing to do.

    Adobe: I advocate you do two things: get rid of comment 28 & this one. And get in touch with Aaron as soon as you can, and see if there's any substance to this.

    --
    Adam
  30. Adam Cameron
    In other news: Shilpi / Rupesh, you've yet to qualify why you're advising us not to use request-centric functionality in CFTHREAD as part of the info for this patch. If there's an issue, you need to tell us. You need to deal with this properly.

    --
    Adam
  31. DanielB
    @Doug & @Andy
    I to have the same issue on CF 9.0.1 with CHF4. I have voted on you but reference Doug.
  32. J.D.e
    Am I missing something with Cumulative HotFix 4 for 9.0.1? Where are the subsequent Hot Fixes that address the APSB13-10 and 13-13?

Leave a Comment

Leave this field empty: