Adobe Cold Fusion – APSB11-14 & APSB11-15


I came across this as I was working through some issues and thought I’d share it.

There are currently dozens of vulnerability scanners out there that will scan for this vulnerability.  I have come across a few that will flag it as being hot however; it is not.

Let me explain why this is.

According to the APSB, this is what’s hot and how you fix it:

ColdFusion 9.0.1, ColdFusion 9, ColdFusion 8.0.1, and ColdFusion 8 are affected with vulnerabilities mentioned in the security bulletins APSB11-14 and APSB11-15. This TechNote provides fixes for the security issues mentioned in both the bulletins along with the installation instructions.

The fix is as follows:

For: ColdFusion 9.0.1
Download CF901.zip and CFIDE-901.zip.  Extract CF901.zip.  All the files are extracted to cf901 directory.
In the ColdFusion Administrator, select System Information page by clicking the “i” icon in the upper-right corner.
In the Update File text box, browse and select hf901-00002.jar located under CF901/lib/updates directory.
Click Submit Changes.
Stop ColdFusion instance.
Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf901-00001.jar exists, delete it. Otherwise, ignore this step.
Go to {CFIDE-HOME} and make a backup of CFIDE folder.
Extract all files in CFIDE-901.zip to the web root directory that has {CFIDE-HOME} folder.
Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
Go to cf901 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory. Make a backup of these files if present: commons-fileupload-1.2.jar, ESAPI.properties, esapi-2.0_rc10.jar, log4j.properties, validation.properties, flex-messaging-common.jar, and flex-messaging-core.jar files.
Go to cf901/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib for Multiserver and J2EE installations) directory.
Start a ColdFusion instance.
If there are multiple instances, repeat steps 2 through13 for each of the instances.

For ColdFusion 9
Download CF9.zip and CFIDE-9.zip.  Extract CF9.zip.  All the files are extracted to cf9 directory.
In the ColdFusion Administrator, select System Information page by clicking the “i” icon in the upper-right corner.
In the Update File text box, browse and select hf900-00003.jar located under CF9/lib/updates directory.
Click Submit Changes.
Stop ColdFusion instance.
Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory and if hf900-00001.jar or hf900-00002.jar exists, delete them. Otherwise, ignore this step.
Go to {CFIDE-HOME} and make a backup of CFIDE folder.
Extract all files in CFIDE-9.zip to the web root directory that has {CFIDE-HOME} folder.
Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
Go to cf9 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory. Make a backup of these files if present: commons-fileupload-1.2.jar, ESAPI.properties, esapi-2.0_rc10.jar, log4j.properties, validation.properties, flex-messaging-common.jar, and flex-messaging-core.jar files.
Go to cf9/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
Start a ColdFusion instance.
f there are multiple instances, repeat steps 2 through 13 for each of the instances.

For ColdFusion 8.0.1
Download CF801.zip and CFIDE-801.zip.  Extract CF801.zip.  All the files are extracted to cf801 directory.
In the ColdFusion Administrator, select System Information page by clicking the “i” icon in the upper-right corner.
In the Update File text box, browse and select hf801-00003.jar located under CF801/lib/updates directory.
Click Submit Changes.
Stop the ColdFusion instance.
Go to {ColdFusion-Home}/lib/updates (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib/updates (for Multiserver and J2EE installations) directory. If hf801-00001.jar, hf801-00002.jar, hf801-1875.jar, hf801-1878.jar, hf801-77218.jar, hf801-73122.jar, or hf801-71471.jar exist, delete them. Otherwise, ignore this step.
Go to {CFIDE-HOME} and make a backup of CFIDE folder.
Extract all files in CFIDE-801.zip to the web root directory that has {CFIDE-HOME} folder.
Go to {ColdFusion-Home}/wwwroot/WEB-INF directory and make a backup of WEB-INF folder.
Go to cf801 directory and extract all the files in WEB-INF.zip to {ColdFusion-Home}/wwwroot (for Server installation) or {ColdFusion-Home} (for Multiserver and J2EE installations) directory.
Go to your {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory. Make a backup of these files if present: commons-fileupload-1.2.jar, ESAPI.properties, ESAPI-1.4.4.jar, log4j.properties, antisamy-1.3-20091014.183120-2.jar, flex-messaging-common.jar, and flex-messaging.jar files.
Go to cf801/lib directory and copy all the files to {ColdFusion-Home}/lib (for Server installation) or {ColdFusion-Home}/WEB-INF/cfusion/lib (for Multiserver and J2EE installations) directory.
Start a ColdFusion instance.
If there are multiple instances, repeat steps 2 through 13 for each of the instances.

Now, here’s where it get’s tricky.

Some scanners out there will search for the specific file:

CF9/lib/updates/hf900-00003.jar

If you are using CF9 or below, this is a valid file to look for however and test for vulnerability however; if you are using CF9.0.1, this file does not exist.  It has never existed and it is unknown if it will ever exist.

The latest hot fix for CF9.0.1 will place this file there:

CF9/lib/updates/hf901-00002.jar

Even though CF9.0 is not installed and CF9.0.1 is, it still appears under the CF9 folder. This is where some of the scanners make their mistake.  They do not take into account a heuristic look at the specific versions of the application as a whole and instead look for specific file versions or specific files or folders to be installed, not installed or at a specific date or version number.

Please take this into account when you are doing vulnerability scans and remediations.

Don’t take my word for it though, take a look for yourself and verify.  After all, trust no information, verify everything.  🙂

Let me know if you’ve had similar problems in the past, or if you know of any additional quirks like this.

Advertisements

~ by Normanomicon on August 4, 2011.

One Response to “Adobe Cold Fusion – APSB11-14 & APSB11-15”

  1. […] Adobe Cold Fusion – APSB11-14 & APSB11-15 « Normanomicon Adobe Cold Fusion – APSB11-14 & APSB I came across this as I was working through some issues and thought I'd share it. There are currently dozens of vulnerability scanners out there that will scan for this […]

Comments are closed.

 
%d bloggers like this: