Manually Patching ColdFusion 9 with APSB15-21 (CVE-2015-3269)

  • August 31, 2015
  • David Epler

So ColdFusion 9 core support ended on December 31, 2014. As such, Adobe has not released any security updates for it since APSB14-23 on October 14, 2014. There was a question regarding the latest security patch, APSB15-21, released for ColdFusion 10 and 11, if it affected ColdFusion 9. The answer was yes,it is affected as well. And apparently Adobe does have a procedure on how to apply the patch, if you email and ask for the instructions. Honestly, Adobe should just post the instructions, but given that it is no longer covered by core support can understand why they are not.

Read More

Enough Fail to Go Around

  • March 24, 2014
  • David Epler

So the talk surrounding the Krebs on Security post, The Long Tail of ColdFusion Fail, continues. Some have taken issue with that he seems to be singling out ColdFusion. Personally, I like the fact that he is reporting on breaches. It helps bring to light issues with installs that are out there, so others can learn from the problems. The ones he has highlighted are severe since they involve credit card processing. 

The underlying problem is that hackers have identified ColdFusion as an easy target and are going after it. The only way to fix that is to make it more difficult to attack and compromise, but that requires involvement from everyone that touches a ColdFusion installation. 

Read More

How patching ColdFusion 8.0.x made you more vulnerable in some cases (or fun with CVE-2013-0632 from APSB13-03)

  • March 18, 2014
  • David Epler

On March 17th, there was yet another story from Krebs on Security, The Long Tail of ColdFusion Fail, which sparked some interesting comments. It also provided some additional insight to a post that Wil Genovese made on March 6th, IIS Vulnerability Steals Payment Information since he commented on Krebs that he dealt with eLightBulbs.com.

Before I knew the two were related, I made the comment that it is really a failure of the sysadmin to properly configure and lockdown ColdFusion based upon the published lockdown guides for ColdFusion 9 or ColdFusion 10.

Read More

Unofficial Updater 2 now patches APSB13-27

  • November 13, 2013
  • David Epler

This has been one of the faster turn around times to get an updated Unofficial Updater 2 out. One of the items that stuck out was that one of the acknowledgments was to Alex Holden who co-discovered the Adobe password and software breach.

Read More

Unofficial Updater 2 now patches APSB13-19

  • July 11, 2013
  • David Epler

Well, I kind of missed blogging the last update to Unofficial Updater 2 back in May while I was at cf.Objective(). The latest update APSB13-19 dropped while I was on vacation at the beach, but still got it done two days after it was released by Adobe.

Read More