This has been one of the faster turn around times to get an updated Unofficial Updater 2 out. One of the items that stuck out was that one of the acknowledgments was to Alex Holden who co-discovered the Adobe password and software breach.
In the news of the latest patch, there is contention of whether the hole reported by Alex Holden is actively being exploited, from the second to last paragraph.
Holden maintains this flaw was being used by attackers prior to today. "Hold Security identified an attack attempt against a ColdFusion version 8 resource by the same hackers behind breaches like LexisNexis, Adobe, and others," Holden said. Unaware of the possible effectiveness of this attack, Hold Security reached out to Adobe. While Adobe did not find the precise attack effective against any of supported CF versions, they did identify a critical flaw in the same resource which led to the patch issued today.
The first thing that struck me was that ColdFusion 8 was specifically mentioned. Now ColdFusion 8 core support ended July 31, 2012 which means Adobe will not issue a patch to close this hole on ColdFusion 8 (the last patch was APSB12-21 on September 11, 2012). The only effective measure is to make sure you properly lockdown ColdFusion 8 or upgrade to a supported version (and properly secure it). The other thing is Adobe's statement about being "effective against any supported CF version" and since ColdFusion 8 is no longer supported it is probably valid.
Regardless of if it is being exploited, the best defense is to be running a supported version of ColdFusion, staying current on patches, and properly securing ColdFusion using the published lockdown guides for ColdFusion 9 or ColdFusion 10.
Also tomorrow (11/14) at 2pm ET, I will be giving a free webinar on the security enhancements that have been made in ColdFusion 10. To register, please visit http://events.carahsoft.com/event-detail/2919/aboutweb/
Well, I kind of missed blogging the last update to Unofficial Updater 2 back in May while I was at cf.Objective(). The latest update APSB13-19 dropped while I was on vacation at the beach, but still got it done two days after it was released by Adobe.
For ColdFusion 9.0.x the latest security update only applies if you are running as a standalone install or as a JRun Multi-Server. If you are running ColdFusion 9.0.x on top of any other J2EE server like JBoss, Weblogic, or others you don't need to apply the fix.
So there has been yet another 0-day found that can exploit ColdFusion by not having directories within CFIDE properly secured as noted in APSA13-03 from Adobe. If you haven't properly secured CFIDE that is public facing, it is only a matter of time until it gets hacked. The previous two that were found in January and April of this year should have been motivation enough.
For those that are still running ColdFusion 8, my best advice to secure your ColdFusion install is to use the ColdFusion 9 Lockdown Guide. I have used it to secure ColdFusion 8 for several different clients. The only section in the lockdown guide that doesn't apply to ColdFusion 8 is "Removing WSRP servlet mapping" since it was introduced in ColdFusion 9.
If you are attending cf.Objective() this year, there are several more security related talks. I am talking on Web Hacking Tools on Thursday (1st day) at 2:35pm. Among the demonstrations will be how ridiculously easy it is to get access to ColdFusion Administrator if you have it accessible and not recently patched. I also highly recommend seeing both of Pete Freitag's sessions, Writing Secure CFML and Locking Down CF Servers.
Lastly, Adobe has announced a security patch to resolve APSA13-03 will be released on May 14th. Unofficial Updater 2 should be updated on May 15th while I'm heading to cf.Objective().
Stay on top of the patching since on April 10th a Metasploit exploit was released that exploits the previous security hotfix APSB13-03. It is only a matter of time until there is an exploit that goes after the latest security hotfix or the next unknown one.
Posted by David Epler in ColdFusion on March 25, 2013
So last week the ColdFusion product team announced a survey to get selected into the pre-release program for the next version of ColdFusion (refuse to call it by the code name since all I think of is Splenda). A lot of this has been rolling around in my head since they published the roadmap last August and really need to get this out before there is a possibility of being included in the pre-release and the requisite NDA.
ColdFusion 10 did focus on security and by far was the most significant release to address the issue. It is listed on the roadmap, but can still be improved.
One of the areas that would improve the security of ColdFusion would be to make several changes to the installer.
First, Secure Profile should be an opt-out with a checkbox "Disable Secure Profile". In the ColdFusion 10 installer it is an opt-in with "Enable Secure Profile". There are too many administrators that just click through the installer. By explictly making them opt-out of Secure Profile, it would make them think about the implications of not selecting it and most would probably leave it as is. No one wants a less secure install.
Second, the installer on Windows should allow one to change the default user that ColdFusion runs as just like the installer for Linux has done for ages. Those that attack ColdFusion specifically look for Windows installs since the majority of installs are left running as SYSTEM.
Lastly, while the lockdown guide is well done and extremely useful, it should be published as soon as the version is released (May 14, 2012), not 6 months afterwards (November 28, 2012). The lockdown guide should also be prominently displayed on the ColdFusion download page and within the ColdFusion Administrator.
Sandboxing within ColdFusion is probably one of the more under utilized security features the product has had for the longest time. Part of that is due to the fact it requires an Enterprise license to create multiple sandboxes. This is one area where the distinction between Standard and Enterprise should be dropped. Security should never be a for pay feature.
There are several enhancements to sandboxing that should be done as well. The CFIDE sandbox does not apply to scheduled tasks or system probes and it should. If they aren't part of CFIDE sandbox, they should have their own sandbox defined for themselves. All sandboxes should be pre-defined to only allow for access to 127.0.0.1 port 80 so the administrator has to explicity open access to external systems, as opposed to allowing all connections which is the current default. Another minor issue is that it only allows for IP addresses and should allow for fully qualified domain names. Finally, sandboxing should be enabled by default when Secure Profile is enabled.
The ability to create PDFs was one of the best additions to ColdFusion back in version 7. Unfortunately though the functionality has seemed to stagnate. This is the one area that ColdFusion can really set itself apart and excel at; better rendering of HTML to PDF for Section 508 support as noted in bug id 3041212, more integration with PDF forms like noted in bug id 3117809, and handling signatures. The dependence ColdFusion has on iText, jPedal, and OpenOffice should be removed. It was understandable back in ColdFusion 7 and 8 when it was developed by Macromedia. PDF is an Adobe technology, as is ColdFusion; this should be do-able. Hopefully this will happen since the roadmap says, "Revamped and new PDF functionalities".
The strength of ColdFusion has always been its ability to integrate with various back-end technologies like Java, .Net, Exchange, SharePoint, and Office documents. One of the main problems has always been things are never fully baked or key functionality is missing. A prime example is the lack of NTLM and Digest support on HTTP calls. It has been a long requested feature originally logged as bug id 72751 and migrated as bug id 3035879. It is currently marked as Deferred/Not Enough Time from ColdFusion 9.0 Alpha 1 (probably has been asked for longer, but can't find references). There is another bug id 3175165 which is strictly NTLM support and is set as To Fix from ColdFusion 9.0.1, but nothing on Digest. One could argue that this should have been addressed by now so ColdFusion can stay ahead of requirements coming from clients (seriously look at bug id 3175165, the developer is pleading for it so that ColdFusion can stay relevant at a large US Government agency).
Reporting is one area where integration is lacking. It is time to face the fact that ColdFusion Reports and ColdFusion Report Builder are defunct; no real update has occurred since version 8. Just kill it off. Integrating with a modern version of Crystal Reports for all platforms (not just Windows) and allowing for easy integration with Jasper Reports or BIRT should be the focus to solve the lack of good reporting solutions in ColdFusion.
The one area of the roadmap that is of concern is "Enabling Enterprise to easily integrate with Social Media Streams". It is extremely buzzword compliant. Hope this does not mean <cftwitter>, <cffacebook>, or <cfsocialmedia> tags or functions. While these sound good in concept, just look at the issues with <cfmap> and the changing of Google Maps API from v2 to v3. There are projects on riaforge.org like (monkeh)Tweet Twitter API that can provide the same integration and faster turnaround to API changes.
Getting a feed from Twitter is easy; integrating NTLM and Digest authenication is hard. Get back to making hard things easy.
This is an area where ColdFusion has been severely lacking. While there are ColdFusion Archives (CAR) and J2EE Archives (WAR/EAR) in Enterprise, neither for these solutions easily integrates with a build environment. Both require interaction with the ColdFusion Administrator. There needs to be an easy way to script deployments, probably with Ant since pretty much every build environment can interact with it. The other issue with the existing J2EE Archives is that the resulting output is ridiculously large to support even the most basic ColdFusion Application. There needs to be a way to select only needed functionality into the WAR/EAR. If the ColdFusion Application isn't using Flex or <cfform> stuff, should be able to pull it out of the deployment.
Vote Up Existing Bugs, Suggest Enhancements
So even if you don't get into the pre-release for ColdFusion 11, what can you do? The best thing would be to go through the existing bugs to see if any issues you have are currently reported and vote it up. While the Adobe Bugbase is a pain to search, try the simple interface that Adam Cameron created. If you have an enhancement, submit it to the Adobe Bugbase and then get people to vote it up. Follow @cfbugnotifer on Twitter. See something on the Twitter feed, vote it up, retweet, get involved in the future of ColdFusion.