Adobe Releases Cumulative Security Patches for ColdFusion and JRun
Adobe recently released two new security patches for ColdFusion, and one for JRun, and recommends that ColdFusion and JRun users apply these security updates and patches. Here are the Security Bulletins you may have missed:
MPSB05-12 -- "Sandbox Security and CFMAIL Vulnerability in ColdFusion MX 6.X"
This bulletin is intended for customers who use ColdFusion MX 6.0, 6.1, and 6.1 with JRun. It contains patches for the JRun Clustered Sandbox Security Vulnerability and the CFMAIL injection Vulnerability. JRun Clustered Sandbox Security Vulnerability: ColdFusion Sandbox security is based on the Java SecurityManager. If you're running ColdFusion on a JRun 4 cluster member and the SecurityManager is disabled, the Sandbox security silently fails without throwing an exception. Using an application setup, a remote attacker could possibly bypass security controls. CFMAIL Injection Vulnerability: Due to weak input validation in the "Subject" field, one could use the CFMAIL tag to attach arbitrary files and send mail with any content. MPSB05-12, "Sandbox Security and CFMAIL Vulnerability in ColdFusion MX 6.X"MPSB05-14 -- Cumulative Security Updater for ColdFusion MX 7
If you're running ColdFusion MX 7.0 (and if you haven't upgraded yet, I'd highly suggest it), then you should check out this security bulletin. It contains the patches mentioned above, as well as two more: The CFOBJECT Sandbox Security Vulnerability and the Administrator Hash Exposure Vulnerability. The CFOBJECT Sandbox Security Vulnerability: The Sandbox security should allow you to turn off the ability to use CFOBJECT /CreateObject (Java), but it doesn't. This can allow a local attacker to still create an object. The Administrator Hash Exposure Vulnerability: The password hash used to authenticate the ColdFusion Administrator is exposed via an API call, allowing a local developer to obtain the hash and authenticate as Administrator. MPSB05-14 Cumulative Security Updater for ColdFusion MX 7MPSB05-13 -- Cumulative Security Updater for JRun 4.0 server
This is a cumulative security updater for JRun 4.0. This includes patches for: View Source Vulnerabilities: By entering a malformed URL, a remote attacker could cause JRun to return web application source code. The JWS Denial of Service Vulnerability: The JRun Web Server improperly handles long URLs and headers, allowing a remote attacker to cause a denial of service. MPSB05-13 Cumulative Security Updater for JRun 4.0 serverLatest ColdFusion Talk (CF-Talk)
- CF8 enterprise, CF8 Standard, CF7 Standard on same computer?
- Installing CF8 on a server with dot net / asp net
- Hi everyone
- cfgrid bind component path not working
- Auto-append params
- rematchnocase not working
- CFHTTP call in CFC, returning content fails
- Trying to use cfexecute to run batch file
- extracting numbers from a string
- CFC and MG2 where does validation fit in?
Latest ColdFusion Jobs (CF-Jobs)
- ColdFusion Positions Houston, TX and Greenville, SC
- Coldfusion Web Developer - Natick, MA
- Need Remote LAMP or WIMP or ColdFusion Work
- ColdFusion Developers/Arlington, Virginia/Direct
- ColdFusion MX Developers Needed in NYC!
- Seasoned ColdFusion Developer Available
- Available:Sr ColdFusion Developer
- Mid Lvl ColdFusion Developer - Phoenix, AZ
- ColdFusion Developer - Knoxville, TN
- ColdFusion Positions in TX and SC!!! Immediate!
Want a number like 800-ColdFusion?
My Toll Free 800 Number provides a vanity phone number service to clients who want more than just digits. How would you like 800-coldfusion?