ColdFusion Security Update: Minor to Me, Perhaps Major to You

Mar

16

March 16 , 2012 | Posted by Nachreiner | 5 Comments

ColdFusion Security Update: Minor to Me, Perhaps Major to You

By now, I should be used to the fact that Adobe Patch Day falls on the same Tuesday as Microsoft Patch Day, and yet Adobe still seems to sneak a few by me.

During the rigmarole of Microsoft Patch Day last Tuesday, Adobe released a security advisory describing an update that fixes a security flaw in the ColdFusion web application server. For those that don’t know, ColdFusion, or CFML, is a web application language, which you can use to tie your web site to a database back-end. Adobe’s ColdFusion is a product for creating CFML applications, and it even comes with a built-in web server (thought not one intended for production use). According to Adobe’s advisory, ColdFusion suffers from a Denial of Service (DoS) vulnerability involving hash algorithm collisions. This flaw’s not a huge threat, but if you have ColdFusion you should patch.

If I’m being honest, my first response to seeing this advisory was, “who cares.” While I don’t know the official numbers, I’m fairly sure that few web sites actually leverage ColdFusion for their web applications today. They use PHP and .ASP instead. However, an audience member from a presentation I gave yesterday reminded me that one man’s lame app might be another man’s favorite program.

The IT Professional in question was telling me about a client who had a network breach. An attacker had gained access to the client’s SQL database via their web site, and stole and deleted lots of data. What was the ultimate culprit? An older, unpatched version of ColdFusion. Well. I’ll be. Here I was callously ignoring a product that I felt was not worthy of attention, meanwhile attackers are targeting it.

Yes. I’m being a little over dramatic to illustrate a point. Yet, this conversation reminded me that vulnerabilities in less popular products can still greatly affect some people. In fact, sometime we even forget about some of the less popular products we have on our computers since we never use them. If we’ve forgotten about them, we’re probably not updating them. Luckily, there are tools that can help you with this problem.

At home, I’ve installed the free personal version of Secunia’s PSI (it stands for Personal Software Inspector). It checks your computer for every software package you install, and tries to tell you the ones that haven’t been updated. I especially like that it doesn’t only tie to the Windows “install/uninstall” component, but instead scans your computer for executables. Sometimes we install products on our computers that the Windows uninstaller doesn’t “see,” but PSI will still find and recognize these programs. Since many less popular products don’t have automatic update mechanisms, PSI is a great tool to proactively find what software you should patch. I recommend you check it out. — Corey Nachreiner, CISSP (@SecAdept)

Comments (5)

  1. I’m a WatchGuard customer, I manage 4 of your firewalls and I also manage 2 ColdFusion servers so I like seeing these security alerts about the product. By the way, there are lots of websites that use ColdFusion… APC and Tripplite both use it plus some goverment sites and I’m sure you can find a lot more if you look… CF is easy to use but difficult to patch. Hopefully they improve that in CF10.

    1. Thanks for the additional detail. It further illustrates the point that even if ColdFusion is not the most popular framework, it’s still one many people use. So one I will warn about.

      That said, I do still stand by the statement that it really is not the most popular web application framework today. According to these stats, only 1.2% of web sites use it:

      http://w3techs.com/technologies/details/pl-coldfusion/all/all

      Of course, 1.2% of millions and millions is still a large user base, right? :)

  2. WatchGuard Security Week in Review: Episode 9 | WatchGuard Security Center

  3. don’t forget the majority of the millions and millions of websites, most are 5-20 pages … CF is gains when it’s dealing with 1000+ page sites … and they tend to be high traffic sites so the probability of reading pages published using CF increases further.

    When my clients ask for examples of companies that use ColdFusion for their sites, I advise them that they include the Dallas Cowboys, Australian Department of Defense, Dupont, ebay’s investor site (investor.ebay.com), FAA, Federal Reserve Banks, Ford’s PR site (media.ford.com), John Hopkins Children’s Center, IDG Communications.

    Interestingly, both the NSA and the New York State Office of Cyber Security & Critical Infrastructure Coordination use coldfusion for their websites … I hope they both got the alert :)

  4. Other great sites that also use ColdFusion are the Smithsonian, supermicro.com, and senate.gov. ColdFusion (and CFML in general) is probably one of the coolest technologies that doesn’t get a whole lot of press. If the cost of Adobe ColdFusion is a barrier, there are open-source CFML engines as well, such as getrailo.org and openbd.org.

    Reference URL’s:
    http://americanart.si.edu/support/credits/index.cfm
    http://www.senate.gov/general/contact_information/senators_cfm.cfm?State=WA

Add Comment

Your email address will not be published. Required fields are marked *