• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

ColdFusion Security Update: Minor to Me, Perhaps Major to You

March 16, 2012 By Corey Nachreiner

By now, I should be used to the fact that Adobe Patch Day falls on the same Tuesday as Microsoft Patch Day, and yet Adobe still seems to sneak a few by me.

During the rigmarole of Microsoft Patch Day last Tuesday, Adobe released a security advisory describing an update that fixes a security flaw in the ColdFusion web application server. For those that don’t know, ColdFusion, or CFML, is a web application language, which you can use to tie your web site to a database back-end. Adobe’s ColdFusion is a product for creating CFML applications, and it even comes with a built-in web server (thought not one intended for production use). According to Adobe’s advisory, ColdFusion suffers from a Denial of Service (DoS) vulnerability involving hash algorithm collisions. This flaw’s not a huge threat, but if you have ColdFusion you should patch.

If I’m being honest, my first response to seeing this advisory was, “who cares.” While I don’t know the official numbers, I’m fairly sure that few web sites actually leverage ColdFusion for their web applications today. They use PHP and .ASP instead. However, an audience member from a presentation I gave yesterday reminded me that one man’s lame app might be another man’s favorite program.

The IT Professional in question was telling me about a client who had a network breach. An attacker had gained access to the client’s SQL database via their web site, and stole and deleted lots of data. What was the ultimate culprit? An older, unpatched version of ColdFusion. Well. I’ll be. Here I was callously ignoring a product that I felt was not worthy of attention, meanwhile attackers are targeting it.

Yes. I’m being a little over dramatic to illustrate a point. Yet, this conversation reminded me that vulnerabilities in less popular products can still greatly affect some people. In fact, sometime we even forget about some of the less popular products we have on our computers since we never use them. If we’ve forgotten about them, we’re probably not updating them. Luckily, there are tools that can help you with this problem.

At home, I’ve installed the free personal version of Secunia’s PSI (it stands for Personal Software Inspector). It checks your computer for every software package you install, and tries to tell you the ones that haven’t been updated. I especially like that it doesn’t only tie to the Windows “install/uninstall” component, but instead scans your computer for executables. Sometimes we install products on our computers that the Windows uninstaller doesn’t “see,” but PSI will still find and recognize these programs. Since many less popular products don’t have automatic update mechanisms, PSI is a great tool to proactively find what software you should patch. I recommend you check it out. — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe, update; patch

Comments

  1. Kurt D says

    March 16, 2012 at 1:39 pm

    I’m a WatchGuard customer, I manage 4 of your firewalls and I also manage 2 ColdFusion servers so I like seeing these security alerts about the product. By the way, there are lots of websites that use ColdFusion… APC and Tripplite both use it plus some goverment sites and I’m sure you can find a lot more if you look… CF is easy to use but difficult to patch. Hopefully they improve that in CF10.

    Reply
    • Corey Nachreiner says

      March 16, 2012 at 1:54 pm

      Thanks for the additional detail. It further illustrates the point that even if ColdFusion is not the most popular framework, it’s still one many people use. So one I will warn about.

      That said, I do still stand by the statement that it really is not the most popular web application framework today. According to these stats, only 1.2% of web sites use it:

      http://w3techs.com/technologies/details/pl-coldfusion/all/all

      Of course, 1.2% of millions and millions is still a large user base, right? 🙂

      Reply
  2. Ashley B says

    March 16, 2012 at 3:17 pm

    don’t forget the majority of the millions and millions of websites, most are 5-20 pages … CF is gains when it’s dealing with 1000+ page sites … and they tend to be high traffic sites so the probability of reading pages published using CF increases further.

    When my clients ask for examples of companies that use ColdFusion for their sites, I advise them that they include the Dallas Cowboys, Australian Department of Defense, Dupont, ebay’s investor site (investor.ebay.com), FAA, Federal Reserve Banks, Ford’s PR site (media.ford.com), John Hopkins Children’s Center, IDG Communications.

    Interestingly, both the NSA and the New York State Office of Cyber Security & Critical Infrastructure Coordination use coldfusion for their websites … I hope they both got the alert 🙂

    Reply
  3. Jordan Michaels (@utdream) says

    March 16, 2012 at 5:15 pm

    Other great sites that also use ColdFusion are the Smithsonian, supermicro.com, and senate.gov. ColdFusion (and CFML in general) is probably one of the coolest technologies that doesn’t get a whole lot of press. If the cost of Adobe ColdFusion is a barrier, there are open-source CFML engines as well, such as getrailo.org and openbd.org.

    Reference URL’s:
    http://americanart.si.edu/support/credits/index.cfm
    http://www.senate.gov/general/contact_information/senators_cfm.cfm?State=WA

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use