Entries Tagged as "Unofficial Updater 2"

Unofficial Updater 2 now patches APSB13-27

This has been one of the faster turn around times to get an updated Unofficial Updater 2 out. One of the items that stuck out was that one of the acknowledgments was to Alex Holden who co-discovered the Adobe password and software breach.

In the news of the latest patch, there is contention of whether the hole reported by Alex Holden is actively being exploited, from the second to last paragraph.

Holden maintains this flaw was being used by attackers prior to today. "Hold Security identified an attack attempt against a ColdFusion version 8 resource by the same hackers behind breaches like LexisNexis, Adobe, and others," Holden said. Unaware of the possible effectiveness of this attack, Hold Security reached out to Adobe. While Adobe did not find the precise attack effective against any of supported CF versions, they did identify a critical flaw in the same resource which led to the patch issued today.

The first thing that struck me was that ColdFusion 8 was specifically mentioned. Now ColdFusion 8 core support ended July 31, 2012 which means Adobe will not issue a patch to close this hole on ColdFusion 8 (the last patch was APSB12-21 on September 11, 2012). The only effective measure is to make sure you properly lockdown ColdFusion 8 or upgrade to a supported version (and properly secure it). The other thing is Adobe's statement about being "effective against any supported CF version" and since ColdFusion 8 is no longer supported it is probably valid. 

Regardless of if it is being exploited, the best defense is to be running a supported version of ColdFusion, staying current on patches, and properly securing ColdFusion using the published lockdown guides for ColdFusion 9 or ColdFusion 10.

Also tomorrow (11/14) at 2pm ET, I will be giving a free webinar on the security enhancements that have been made in ColdFusion 10. To register, please visit http://events.carahsoft.com/event-detail/2919/aboutweb/


Unofficial Updater 2 now patches APSB13-19

Well, I kind of missed blogging the last update to Unofficial Updater 2 back in May while I was at cf.Objective(). The latest update APSB13-19 dropped while I was on vacation at the beach, but still got it done two days after it was released by Adobe.

For ColdFusion 9.0.x the latest security update only applies if you are running as a standalone install or as a JRun Multi-Server. If you are running ColdFusion 9.0.x on top of any other J2EE server like JBoss, Weblogic, or others you don't need to apply the fix.

As usual the best defense is to stay current on patches and properly secure ColdFusion using the published lockdown guides for ColdFusion 9 or ColdFusion 10.

No Comments

Unofficial Updater 2 now patches APSB13-10

Unofficial Updater 2 has been updated (April 11th) to now apply the latest ColdFusion security hotfix APSB13-10 that was released on April 9th.

Stay on top of the patching since on April 10th a Metasploit exploit was released that exploits the previous security hotfix APSB13-03. It is only a matter of time until there is an exploit that goes after the latest security hotfix or the next unknown one.

The best defense is to stay current on patches and properly secure ColdFusion using the published lockdown guides for ColdFusion 9 or ColdFusion 10, otherwise.

Game over, man!



The Joys of ColdFusion Patching

So if you have been following things, Adobe released cumulative hotfixes to allow for Java 7 support and to update <cfmap> to use Google Maps API v3 instead of v2. Only problem is along the way they have had to update them a few times. It is exactly this situation which drove me to create Unofficial Updater 2 originally. 

Frankly, the entire past 2 weeks should not have occurred. This really shines a light on how poorly thought out the Adobe ColdFusion update product teams's release process is. And this is not the first time they have had to do multiple re-releases of hot fixes. APSB11-04 once, APSB11-14 twice, APSB12-06 once for CF801 only and pulled Update 3 for CF10. That track record does not inspire confidence.

As for some general notes regarding the CHFs. They provide Java 7 support for ColdFusion 9.0.x for all OSes EXCEPT for Mac OS X 10.7 and 10.8. Java 7 is supported on all OSes for ColdFusion 10.0.8+. The update to support Google Maps API v3 should never have happened; <cfmap> should be depricated in accorance to what I'll call the "Forta Rule" and can only hope this happens for ColdFusion 11.

Update Process for UU2

Given that I found multiple issues that prompted the re-releases and updates to the technotes, I wanted to share how I go about updating Unofficial Updater 2.

The process starts with complete reading of the technote(s) to see what has changed and what exactly the steps are. From that the hotfix matrices (9.0.0, 9.0.1, 9.0.2) are updated as part of the project to note items such as download files, CVEs fixed, and what needs to be installed or is superseded. This is how the missing 81860 for CF 9.0.0 CHF2 was found. Then uu2.properties is updated to add the download location and hashes for the files. It was the changing of the hashes which prompted me to inquire about the "silent" update of the CHFs that occurred between February 27th and March 1st. Finally build.xml is updated to reflect the steps in the technote to apply the files.

After the update to build.xml, UU2 is then tested against both Windows (2008 R2) and Linux (CentOS 5.8). So there are VMs for each OS that have installs of ColdFusion 9.0.0, 9.0.1, and 9.0.2 installed as both standalone and as JRun multi-server. In each instance there is a clean install maintained, an install with the previous hotfix applied, and an install with the new hotfix applied so comparisions can be done. UU2 is tested against a clean install and the previous hotfix install. This is how the missing jpedal.jar was found in CF 9.0.1 CHF4. UU2 isn't tested as rigorously against Mac OS X since I don't know of any one running it in production with OS X Server. No testing is done against Solaris since I don't have access to a Sun Server, but the Linux testing should cover it. 

Then all the associated documentation for UU2 is updated and packaged for release. Generally want to get UU2 out as soon as possible but if there are issues reported, it will be delayed until they are resolved. UU2 only goes out once everything for a given set of updates from Adobe have been resolved.

So with all of that, Unofficial Updater 2 was updated last night (March 11, 2013 at 8:00PM EDT) to support applying the various ColdFusion 9.0.x CHFs (issue 33). It also changed the behavior of the default directory for backing up (issue 31). On Windows it will default to the current running directory of UU2 and on Unix will default to /tmp. 

Again, thank you all that use and provide feedback to make Unofficial Updater 2 better. Also thank you to CFHour for the mentions (finally made Boyzoid a convert!)


No Comments

Unofficial Updater 2 now patches APSB13-03

I had intended to get this posting out earlier when I updated Unofficial Updater 2 on the 16th. Here are the changes that were made with the latest release UU2.


APSA13-01 does note that ColdFusion 8 and earlier is susceptible to the attack that APSB13-03 fixes. Based upon the security advisory it does not seem that Adobe will be providing a patch for ColdFusion 8 since core support for ColdFusion 8 ended last year. For ColdFusion 8 and earlier please make sure you properly secure the CFIDE directory and other mitigations steps noted in the security advisory.

I have also published an updated set of hashesets that can be used with hashdeep at https://github.com/dcepler/cfide-integrity to check the validity of CFIDE after applying APSB13-03. For details please see my previous post.