New ColdFusion security update for version 9 and above

April 08, 2013 / Shilpi Khariwal 34 Comments

  Security | Adobe ColdFusion | Adobe ColdFusion 10 | Announcements | Updates | web application security

 

An important security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2.

If you are on ColdFusion 10, you will see a new update 9 within the ColdFusion administrator for you to download and install.

Adobe recommends users update their product installation with this update. Here's a link to the related security bulletin.

Note: It is recommended that, request related functionality is not used with CFThread. 

 


34 comments so far ↓

  • 1 Tim // Apr 9, 2013 at 12:41 PM
    Subscribing
  • 2 Adam Cameron // Apr 9, 2013 at 1:14 PM
    Also subscribing. Have installed the CF10 patch on my local machine and it went without hitch.

    I think we need more info on the statement "It is recommended that, request related functionality is not used with CFThread".

    "Request-related functionality"? Isn't pretty much all of ColdFusion "request-related functionality"?

    --
    Adam
  • 3 Aaron Neff // Apr 9, 2013 at 1:39 PM
    Also subscribing and interested in more info on "request-related functionality". What does that actually mean?

    Thanks,
    -Aaron
  • 4 Wil Genovese // Apr 9, 2013 at 3:16 PM
    Yeah that! I would love to know exactly what that statement means too.
  • 5 Laura Hansen // Apr 9, 2013 at 4:32 PM
    ditto on the others, need to know what this request mumbo jumbo is about before we potentially break our app or have to update all threads.
  • 6 Ron Stewart // Apr 9, 2013 at 7:55 PM
    Subscribing...
  • 7 Ken Wilson // Apr 9, 2013 at 9:27 PM
    Subscribing
  • 8 Rupesh // Apr 9, 2013 at 11:47 PM
    I completely agree that the post should have been more clear about "request related functionality" and I would try to do that here.

    As you know, CFThread allows you to spawn a new thread do some processing in parallel with the request. This thread can continue to run even after the request has completed. Since this thread is not connected to the HTTP request that spawned it, any operation done from the thread which tries to change something in the HTTP request/response - like setting header, cookie, response code etc would not make sense and should not be done.

    So one should not use cfcookie, cfheader, cfcontent etc inside cfthread as it can cause unpredictable behavior.
  • 9 Subodh // Apr 10, 2013 at 3:36 AM
    Want to know what is the main fix in the update 9
  • 10 Phil // Apr 10, 2013 at 9:10 AM
    Subscribing...
  • 11 Adam Cameron // Apr 10, 2013 at 6:08 PM
    @Rupesh
    Cheers for that: so it's basically a code-quality tip.

    However why are you choosing to offer this tip when releasing a security patch?

    --
    Adam

    PS: can you make sure to get rid of the spam comment above this one.
  • 12 Tom Lofts // Apr 11, 2013 at 3:43 AM
    Hi Shilpi,

    Do ColdFusion security updates ever include stability updates bundled in with them? We've recently hit a bug in ColdFusion 10 relating to the clock change to BST (https://bugbase.adobe.com/index.cfm?event=bug&id=3540118) and upgrading to update 8 didn't resolve the issue, and I'm wondering if we should try upgrading to update 9 straight away.

    Thanks for your time,

    Tom
  • 13 bobstamp // Apr 11, 2013 at 10:13 AM
    Subscribing ....
  • 14 Luke // Apr 12, 2013 at 1:42 AM
    Hi,

    I have updated to CF 10 update 9 and since the clocks changed for the uk to BST I am getting severe errors in the coldfusion logs. https://bugbase.adobe.com/index.cfm?event=bug&id=3540118
  • 15 Andy Hudson // Apr 12, 2013 at 2:34 AM
    Had an issue in 9.0.1 with Excel functionality after applying this update. Got the following error as "SpreadsheetFormatCell" function no longer works...

    coldfusion.excel.Excel.formatCell(Lcoldfusion/excel/ExcelInfo;Lcoldfusion/runtime/Struct;IIZ)V

    java.lang.NoSuchMethodError: coldfusion.excel.Excel.formatCell(Lcoldfusion/excel/ExcelInfo;Lcoldfusion/runtime/Struct;IIZ)V
  • 16 Adam Cameron // Apr 12, 2013 at 3:52 AM
    I don't have 9.0.1 to test on, but I just tested that spreadsheetFormatCell() thing on 9.0.2 (before and after patching) and could not replicate. Can you give us a self-contained repro case to test with?

    --
    Adam
  • 17 Aaron // Apr 14, 2013 at 4:12 AM
    What are the mitagiting factors? Cfide issues are only relevant to people who make the cfide folder publicaly accessible

    Microsoft publish mitigating factors. It is very useful. It lets people know if they are affected or not.


    Also - cfthread - what is going on here. There is clearly an issue. What is it?
  • 18 Aaron // Apr 15, 2013 at 1:59 AM
    alright.

    CFThread. cfheader & cfcookie have been blocked from working inside a cfthread
    I suspect that the request object is not thread-safe and this is the solution for that. If the concern was that the response/header has already been written to the browser than you would see an error similar to issuing cfflush then trying to do a cfcookie/cfheader
    - alternate reason might be related to the CFThread mainintaing a reference to the response object after the "request" has finished

    the other change seems to involve the admin files adminpassword.cfm and userpassword.cfm (or similar, i looked this up earlier today)
    I suspect that if you create an application, login with a username/password using the builtin tags (cflogin?) then cfinclude one of the .cfm files, you are able to pass form values in to the files, the files think you are logged in as an admin, and change the admin password on the server. This would impact hosting environment. - this is, however, speculation, haven't tested yet
  • 19 Simon Janssens // Apr 15, 2013 at 4:07 PM
    Hi,
    I noticed that update 9 changes the ownership of /opt/coldfusion10 to the bin group. Now my user doesn't have read only access to config and log files, which could make things difficult in my environment. I was wondering what people would recommend? Adding the user to the bin group (not sure if that's a no no in nix) or applying the suggestions from the lockdown guide over the top?

    Cheers,
    Simon
  • 20 Chris // Apr 15, 2013 at 6:48 PM
    Subscribing
  • 21 David Epler // Apr 16, 2013 at 8:39 AM
    Could Adobe now move the priority of APSB13-10 from 2 to 1 now that there is a now exploit in the wild?

    http://threatpost.com/en_us/blogs/linode-hacked-through-coldfusion-zero-day-041613
  • 22 Aaron // Apr 17, 2013 at 5:46 AM
    David: Given that linode was exploited by this vunrinlity 2 weeks before this patch was published, it's safe to assume that the cf team created this patch because of the hack - they already knew of a major attack in the while when they assigned this a rating of 2.
  • 23 David Epler // Apr 17, 2013 at 6:20 AM
    @Aaron

    If that was the case it should have been Priority 1 from the get go based upon Adobe documentation.

    http://www.adobe.com/support/security/severity_ratings.html

    Honestly, I fault Linode more than Adobe since they didn't properly secure ColdFusion in accordance to a lockdown guide if the attack originated through CFIDE. And while the previous one, APSB13-03, closed the Scheduled Task's ability to write .cfm files, it is still possible to bypass that inside the ColdFusion Administrator and get code onto the system.

    If it was exploited via code that Linode wrote that was using <cflogin> then it is a different story. But still doesn't change the fact the Security Hotfix should be Priority 1.
  • 24 Aaron // Apr 17, 2013 at 9:25 PM
    David.

    We don't have enough information to blame Linode.
    the CF team have provided NO information (mitigating factors) that let us know if a 100% locked down server would be vulnerable

    If the attack vector is as I suspect; CFIDE is exploited via code (a cf-mapping) and not via HTTP. - in that case the attacker requires some method to get cfm/cfc files on to the server

    If this exploit is accessed via HTTP then that is a different matter.

    The attacker published an IRC log - he makes mention of an old version of phpbb2 - which might have been his vector to place code on to the server to enable the exploit of CF.


    I think it's time the CF team lived up to their hype of better supporting the CF community and provide some REAL answers (or is it ANY answers)
  • 25 Doug Cain // Apr 18, 2013 at 4:34 AM
    @Andy I have also had this problem on 9.0.1 with SpreadsheetFormatCell throwing an error. Added a vote for the bug here: https://bugbase.adobe.com/index.cfm?event=bug&id=3540876
  • 26 David Epler // Apr 18, 2013 at 8:28 AM
    @Aaron,

    You are right, we don't know the true source of what caused Linode.

    My point is that *IF* the attack originated through CFIDE and was fixed with APSB13-10, there were 3 files that changed in APSB13-10 that point to that possibility

    /CFIDE/adminapi/administrator.cfc
    /CFIDE/administrator/security/cfadminpassword.cfm
    /CFIDE/administrator/security/userpassword.cfm

    administrator.cfc is the most probable for the access via HTTP. The changes to administrator.cfc were specifically to the login method again. There is now a call to a new method isFlashRemoting() associated with getPageContext().getFusionContext(). I'm not saying that Flash Remoting *IS* what is being used, just that is what changed in the file between APSB13-03 and APSB13-10.

    Also I don't disagree that they should be more forth coming with details and not leave cryptic notes in the post regarding cfthread.

    Think the bottom line is the state of security regarding ColdFusion installations is still abysmal and that the lockdown guides are not optional at this point, but *MANDATORY* for any installation since they do improve the security of the ColdFusion installation.
  • 27 Aaron Neff // Apr 18, 2013 at 10:29 PM
    Just noting that Update 9's security bulletin has been updated w/ a new description for CVE-2013-1387:

    Old: "This hotfix resolves a vulnerability that could be exploited to impersonate an authenticated user (CVE-2013-1387)."

    New: "This hotfix resolves an information leak that can occur in certain multi-threaded use cases. This issue is not exploitable remotely (CVE-2013-1387)."

    The description for CVE-2013-1388 remains as: "This hotfix resolves a vulnerability that could be exploited by an unauthorized user to gain access to the ColdFusion administrator console (CVE-2013-1388)."

    Thanks,
    -Aaron
  • 28 Aaron // Apr 19, 2013 at 3:25 AM
    Thanks Aaron neff

    I've suspected that issue for a while, today I managed to get 10 minutes to have a better look at the java source of chf9. The cfthread changes have confirmed my fears.

    David: it's been fun but I can not continue to post here due to the severity of the issue. I have an 80% confidence I can craft an exploit for all shared hosting providers and 99% confidence I can craft an exploit for "some" shared hosting providers. And this is AFTER this hot fix has been applied

    a warning

    IF your website accepts CREDIT CARDS do not use SHARED COLDFUSION HOSTING
  • 29 Adam Cameron // Apr 19, 2013 at 2:16 PM
    Aaron (not Neff): I think you comment #28 qualifies as FUD. If you've found a problem: report it to Adobe. Don't post speculative fearmongering. That does nothing to FIX any problem, but it certainly announces there's a potential problem for people to investigate with a view to exploiting. Not a great thing to do.

    Adobe: I advocate you do two things: get rid of comment 28 & this one. And get in touch with Aaron as soon as you can, and see if there's any substance to this.

    --
    Adam
  • 30 Adam Cameron // Apr 19, 2013 at 2:18 PM
    In other news: Shilpi / Rupesh, you've yet to qualify why you're advising us not to use request-centric functionality in CFTHREAD as part of the info for this patch. If there's an issue, you need to tell us. You need to deal with this properly.

    --
    Adam
  • 31 DanielB // Apr 22, 2013 at 7:46 AM
    @Doug & @Andy
    I to have the same issue on CF 9.0.1 with CHF4. I have voted on you but reference Doug.
  • 32 glasses1234 // May 15, 2013 at 6:08 PM
    <p align="left"><a href="http://www.fakeoakleysokuk.com/">Foakleys</a>,Fully functional sunglasses particularly popular among many beauty young peoples. Individuality leisure dress match <a href="http://www.fakeoakleysokuk.com/">oakley sunglasses </a>not only seems fasion, and protect your eyes easily.As we know the professional hair stylist often design a hair style, according to the customer, let customers better overall temperament, hair is better. Also the same to sunglassess. We can choose sunglasses styles according to different face shapes .</p>
  • 33 me // Jun 20, 2013 at 8:17 AM
    Coldfusion sucks monkey balls.
  • 34 J.D.e // Jul 3, 2013 at 9:48 AM
    Am I missing something with Cumulative HotFix 4 for 9.0.1? Where are the subsequent Hot Fixes that address the APSB13-10 and 13-13?

Leave a Comment

Leave this field empty:

Blue Mango Theme Design By Mark Aplet

Super Powered by Mango Blog