Manually Patching ColdFusion 9 with APSB15-21 (CVE-2015-3269)

So ColdFusion 9 core support ended on December 31, 2014. As such, Adobe has not released any security updates for it since APSB14-23 on October 14, 2014. There was a question regarding the latest security patch, APSB15-21, released for ColdFusion 10 and 11, if it affected ColdFusion 9. The answer was yes, it is affected as well. And apparently Adobe does have a procedure on how to apply the patch, if you email and ask for the instructions. Honestly, Adobe should just post the instructions, but given that it is no longer covered by core support can understand why they are not.

This post is a collection of my notes and procedure used to manually apply the patch to ColdFusion 9. These steps are not the official Adobe ones. Unofficial Updater 2 was previously run to patch to the last official patch, APSB14-23. 

The underlying BlazeDS libraries have not changed since ColdFusion 9.0.2. The exact same files are used in ColdFusion 10 through Update 16 and ColdFusion 11 through Update 5.

ColdFusion 9.0.2

FileVersionSHA-1 HashFunction
flex-messaging-common.jar 4.0.0.14931 81eb386a31933aff9819499198fb9945ebb03771 BlazeDS - Common Library
flex-messaging-core.jar 4.0.0.14931 d74583ebe8e1fd9651641ca8291d19edf4563335 BlazeDS - Community Edition
flex-messaging-opt.jar 4.0.0.14931 5c91681ca2f719b0a368f61a3f0f22bdb4c9eaaa BlazeDS - Optional Vendor
flex-messaging-proxy.jar 4.0.0.14931 b9f28b0916f03432a7011cf6cfb04c2ec45b16af BlazeDS - Community Edition - Proxy Module
flex-messaging-remoting.jar 4.0.0.14931 c8771cc64f35457c874b07ccccb010b8631194c9 BlazeDS - Community Edition - Remoting Module

ColdFusion 9.0.1

FileVersionSHA-1 HashFunction
flex-messaging-common.jar 4.0.0.20929 303b1cb8a04e910d43c9be4894f6d6b7b814a928 BlazeDS - Common Library
flex-messaging-core.jar 4.0.0.20929 31820e6ca453d1c42e602b4bf226711c63f4aa2d BlazeDS - Community Edition
flex-messaging-opt.jar 4.0.0.14931 5c91681ca2f719b0a368f61a3f0f22bdb4c9eaaa BlazeDS - Optional Vendor
flex-messaging-proxy.jar 4.0.0.14931 b9f28b0916f03432a7011cf6cfb04c2ec45b16af BlazeDS - Community Edition - Proxy Module
flex-messaging-remoting.jar 4.0.0.14931 c8771cc64f35457c874b07ccccb010b8631194c9 BlazeDS - Community Edition - Remoting Module

ColdFusion 9.0.0

FileVersionSHA-1 HashFunction
flex-messaging-common.jar 3.3.0.20931 d84e30b86f7a9236a0fc53e71c838e4b50e4d26d BlazeDS - Common Library
flex-messaging-core.jar 3.3.0.20931 a4e9c048d2126af717fb7ca5a375812e436a170d BlazeDS - Community Edition
flex-messaging-opt.jar 3.2.0.3978 cbcbbda606c0eafaa290c359341b20f647f8e75c BlazeDS - Optional Vendor
flex-messaging-proxy.jar 3.2.0.3978 00e53347d77c0d5265ad96fecd382019abf582b7 BlazeDS - Community Edition - Proxy Module
flex-messaging-remoting.jar 3.2.0.3978 34082c9ff1a5c3da781a097fd3b2c7a46ecc6e14 BlazeDS - Community Edition - Remoting Module

It is possible to update the BlazeDS libraries in ColdFusion 9.0.1 and 9.0.2 from those contained in the ColdFusion 10 Update 17. Here are the steps:

  1. Stop ColdFusion
  2. Download ColdFusion 10 Update 17 and verify it
  3. Backup existing BlazeDS libraries
  4. Extract needed files from the update to the proper location
  5. Restart ColdFusion

Below are the commands, executed as root on an Ubuntu server running ColdFusion 9.0.1 installed to /opt/coldfusion9 running as user cfusion.

/opt/coldfusion9/bin/coldfusion stop
mkdir /tmp/cf9-apsb15-21
cd /tmp/cf9-apsb15-21
wget https://cfdownload.adobe.com/pub/adobe/coldfusion/hotfix_017.jar
md5sum hotfix_017.jar
zip blazeds-backup.zip /opt/coldfusion9/lib/flex*
unzip -j hotfix_017.jar Disk1/InstData/Resource1.zip
unzip -j Resource1.zip "\$IA_PROJECT_DIR\$/hotfix/dist_zg_ia_sf.jar"
unzip -j dist_zg_ia_sf.jar cfusion/lib/flex* -d /opt/coldfusion9/lib
chown cfusion:cfusion /opt/coldfusion9/lib/flex*
/opt/coldfusion9/bin/coldfusion start

 

The steps for Windows are the same, just use 7Zip or similar to extract the files from hotfix_017.jar and place them in the ColdFusion lib directory, typically C:\ColdFusion9\lib.

These steps only deal with updating the BlazeDS libraries, not configuring Flash/Flex remoting as noted in the technote and Adobe ColdFusion 9 Lockdown Guide. Also see Pete Freitag's post, Disable Flash Remoting on ColdFusion Servers

Patching ColdFusion 9.0.0 is more problematic because of different version of BlazeDS used. It might be possible to follow the same steps, but did not try since none of the servers I deal with are running ColdFusion 9.0.0.

Regardless of specific version of ColdFusion 9 one is running, upgrading to ColdFusion 10 or 11 is the best options since they are supported by Adobe and receiving security updates.

 

  1. #1 by Charlie Arehart - August 31, 2015 at 9:39 AM

    Hey Dave, thanks for sharing. There are a couple of concerns that I think should be drawn out for folks who may find this post and try to proceed, and I'm pretty sure you'd agree with them and won't mind me sharing a rather lengthy comment. The first point applies to folks on CF 9.0.0 specifically, and the second is for folks on any CF9 release.

    First, as you note, you are offering the files and steps for 9.0.1 and 9.0.2, not for 9.0.0. I find that many (many) people on CF9 never got around to updating and so still are on 9.0.0. And they should beware that as you say, these notes and files aren't affirmed to be right for them. They probably ought to reach out to Adobe to ensure to get the files for CF9, at least until either Adobe posts some more info and the files, or perhaps you or others do here.

    (And if someone wonders "how do I know what version I have", there are a few ways but perhaps the easiest is to visit the CF Admin and hit the "Settings Summary" page, which is the last item in the first section on the left.)

    Second, and important for ANYONE doing this (whether on 9.0, 9.0.1, or 9.0.2), we should note that you make the point that you are applying these files to a version of CF9 that was *as updated as it could be* (in your case, using your Unofficial Updater 2 tool (UU2), with which you say had been "previously run to patch to the last official patch, APSB14-23."

    And I would assume that Adobe also released their files (to you or whoever you got them from) with the presumption that they would be used by someone running the very latest update.

    So if someone maybe is still running an older patch level of their specific CF9 version, the files offered may not match correctly with their specific implementation. I don't know. It would depend on whether any of the previous patches did tweak any of these files. And it's not clear what the implications would be if there was a mismatch (either in terms of functionality--whether one even uses BlazeDS/Flash remoting or not, or in terms of vulnerability).

    Perhaps Pete or you or I or someone else may ultimately dig in to confirm whether there are any dependencies within past CF9 patch levels, but until then I just offer this as a heads up that readers should consider.

    Again, I am glad to see the info you have shared, to help those still on CF9. I'm not at all writing this as criticism. Just looking at it from the perspective of some who I know who are not necessarily running the latest patch level of CF9, or who may not know for sure WHAT level they are at. And for them I'll point out a blog post I did back in 2012 that could help confirm that for them:

    "How to tell what, if any, hotfixes have been applied to ColdFusion"
    http://www.carehart.org/blog/client/index.cfm/2012/6/18/what_hotfixes_have_been_applied

    And of course your UU2 tool can help folks get to the latest patch level, though people should beware that if they are on CF 9.0 or 9.0.1 with no updates/patches, and they move to the latest updates/patches, there are a couple of fairly significant secuirty changes introduced in 2011 and 2012 that they'd not find included and could affect them. I have a blog post to help understand that, also:

    "CF911: New Adobe document about ColdFusion security hotfixes: required reading, I'd say"
    http://www.carehart.org/blog/client/index.cfm/2013/5/21/new_adobe_summary_of_security_hotfix_tweaks

    HTH
  2. #2 by Pete Freitag - August 31, 2015 at 4:47 PM

    Dave - thanks for posting this -- I also spent quite a bit of time researching this on Friday to determine if CF9 was indeed vulnerable, including looking at the BlazeDS source for the 4.0 branch. It does appear to be and the comment you linked to on the CF blog also confirms that.

    I would have simply assumed that it was, however there was a very similar vulnerability in BlazeDS that was patched in 2010, APSB10-05 which also involved XML Entity injection. I thought perhaps that this vulnerability was reintroduced but in certain versions of BlazeDS but it appears to be a separate issue.

    I also wanted to point out that you can find the patched BlazeDS jar files from the Adobe Security Bulletin specific to BlazeDS: https://helpx.adobe.com/security/products/livecycleds/apsb15-20.html interestingly the they didn't provide a patch for the 4.0 branch (which as you note is what CF9.0.1 and CF9.0.2 run, but running a more recent 4.x version seams to work fine in my testing (using the Server Monitor on a CF9.0.2 server).
  3. #3 by David Epler - August 31, 2015 at 9:38 PM

    @Charlie,

    I do understand that the post is using a specific patch point, but that is where all ColdFusion 9.0.x servers should be, ideally, given that it was EOL'd and there have been no subsequent patches. It also is the state of the servers I interact with, so testing from that point made the most sense. I do understand the reality of patching, particularly for ColdFusion 9, that you point out and I am glad you re-iterate that in your comment since it might not come across clearly enough in the post.

    @Pete,

    As soon as APSB15-20 was release I was looking at it given the implications to ColdFusion and honestly was not happy that it took Adobe nine (9) days to release the appropriate patch for ColdFusion.

    The updates to flex-messaging-common.jar and flex-messaging-core.jar came from APSB11-14 for both ColdFusion 9.0.0 and 9.0.1. ColdFusion 9.0.2 was released after that patch. The BlazeDS libraries in ColdFusion 9.0.2 were never updated and are the same found in subsequent versions of ColdFusion. I did check a completely unpatched install of ColdFusion 9.0.1 and 9.0.2. Both show the same versions as noted in the post for ColdFusion 9.0.2. One can replace the flex-messaging-*.jars using the ones extracted from ColdFusion 10 Update 17 and apply them to ColdFusion 9.0.1 and 9.0.2 in any patch state. I went that route to keep all the BlazeDS libraries at the same version, 4.7.1, that were tested on ColdFusion 10 and started from the same original version, 4.0.0.14931, instead of updating just flex-messaging-core.jar from APSB15-20.

    Again, all of this is completely unsupported, but if someone ** needs ** to get a fix, it is at least possible.

    I think we all can agree that the best remedy for anyone running ColdFusion 9 is to upgrade to the latest supported versions.
  4. #4 by Charlie Arehart - September 1, 2015 at 12:08 PM

    Amen and amen. :-) Thanks for all that you do.
(will not be published)
Leave this field empty: