Beware of ransomware attacks happening on ColdFusion 9 and earlier
Note: This blog post is from 2021. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.If you're running CF9 or 8, beware: a recent spate of ransomware attacks have occurred, hitting such old CF servers that were not updated (in ways offered by Adobe in 2010!) This news has been reported in various security industry press, but I want to share here more that they generally did not.
TLDR; A most basic message to hear is "get off of CF9", or any version of CF that is no longer supported. But for the sake of those who wonder, "while I work on that, is my CF 9 really impacted?", I address that, and more. But again updating 9 to just "leave it at that" and get on with your life is NOT the main message to be hearing!
Of course, it's always risky to run old versions of software, and to be clear, CF9 was released in 2009 and CF8 in 2007. Sadly, some shops drag their feet to keep even such old software updated (they each got updates for 5 years after their release). But the problem is really coming home to roost for some.
Who's affected, and who's not? And what can you do, if still on CF9 or 8? And what more is known about the attack?
For more, read on. (BTW, yes I am aware that this is not "new info", as some were sharing it as much as 2 weeks ago. It simply took me time to gather up all the info below, to provide more specifics than those general interest articles were sharing.)
Who is vulnerable to this, and who is not?
The attackers have been exploiting a vulnerability (cve-2010-2861) identified in August 2010.
To be clear, the vulnerability was fixed by Adobe in Aug 2010, as discussed in APSB10-18, with security fixes made available for the versions of CF then supported: ColdFusion 9.0, 9.0.1 and 8, and 8.0.1. (CF7, from 2005, was no longer supported by then so no fix was offered for it, therefore anyone using that or earlier are indeed vulnerable to this attack.)
The fix was also incorporated into "Cumulative Hotfixes" (CHFs) that came out later for 9.0 and 9.0.1. More on those in a moment. Finally, CF9.0.2 (which was a separate installer, not an update) was released in May 2012, and incorporates the fix so is not vulnerable. (I do not find that any CF8 CHF was released in 2010 or later.)
As such, whether you are vulnerable to this issue depends on both the CF version and update level. As for how to know exactly what version of CF you are running, see the CF Admin and its "settings summary" page (last option in the "settings" page). It's first line lists the CF version.
As for how to know which updates or CHFs may have been applied to your CF9 or earelier, see a blog post I did at the time on that topic.
Given the above:
- If you're on 9.0 and have at least its Cumulative Hotfix 3 properly applied, you should NOT be vulnerable to this attack. To be clear, its Cumulative Hotfix 1 came out in early 2010, before this vulnerability. It wasn't until Cumulative Hotfix 2 or later that it was included (and CHF2 was quickly replaced by CF9.0 CHF3).
- If you're on 9.0.1 and have applied at least its CF 9.0.1 Cumulative Hotfix 1, you should NOT be vulnerable to this attack
- If you're running ColdFusion 8 and did NOT correctly apply the security fix discussed here, or on CF9.0 or 9.0.1 and did not apply this specific fix or the CHFs just mentioned, then you ARE vulnerable. See below on how to address the vulnerability
- If you're running 9.0.2, again you should NOT be vulnerable to this attack, as the vulnerability was fixed before that new installer was released (in 2012)
- If you're running later CF versions, whether ColdFusion 2021, 2018, 2016, 11 (from 2014), or 10 (from 2012), again the vulnerability was fixed before they were released
- If you're somehow running CF7 or earlier, this fix was never provided by Adobe for that, as it was no longer supported by 2010, so again you are vulnerable.
What can you do, if still on CF9 or 8?
There are a few choices, as for what one can do if still on CF9 or 8, and don't have the needed security fix or Cumulative hotfix that includes it, as discussed in the last section.
- First, the "simple solution", for those running CF9 or 8, may seem to be to apply the needed security update from the time. The steps are indeed outlined in the technote for applying that fix to CF9 or 8, at that time, in Aug 2010. (While sometimes, the jars and/or zip files offered in such technotes from so long ago no longer function, but those in that article do work.)
- That said, applying updates back then was challenging. Also, again, you do NOT need to apply THIS fix if you may find that you already are running 9.0.2, or at least Cumulative Hotfix 1 of CF 9.0.1, or Cumulative Hotfix 3 of CF 9.0. For more on updating CF9, see a blog post I did from that era, trying to help folks deal with the many different updates available for CF9 and earlier.
- And really, if you have not applied the final CHFs available for whatever CF9 or 8 version you are on, one could argue you should be applying that instead (for CF9 or 9.0.1) or also (for CF8). Again, see my blog post from that era, offered in the previous point here
What SHOULD you do, if still on CF9 or 8 (or even 10, 11, or 2016)?
That said, a VERY strong argument can be made that rather than update CF9, you should be getting off of it--and any unsupported CF version, ASAP! Even CF2016. Let me elaborate on that and still other options:
- Even if you applied all known fixes to CF9 or 8, it's still unwise from a security perspective to be running either of those versions, which have not been updated in over 8 years, and so have literally years (and now hundreds) of vulnerabilities, which have been fixed in later versions. CF versions get updates for up to 5 years after they are released, and again CF9 was released in 2009. As such, both CF9 and 8 have many more vulnerabilities which (while they have since been addressed via updates in the still later CF versions), they were never addressed in those old versions.
- And the answer is also not to "go to CF10", or 11, or even 2016, as all those also stopped getting updates (including security fixes) 5 years after their release, so CF10 was last updated in 2017, CF11 was last updated in 2019, and CF2016 got its last update in March 2021. To be clear, only CF2018 and 2021 are currently formally supported and updated by Adobe. It's unwise for many reasons to be running any versions older than that.
- And since Adobe only sells CF2021, someone moving from any older version would need to move to CF2021. (There is provision for "backwards licensing" to CF2018, where you pay for 2021 but get a 2018 license key--though that's only if the CF2021 license is purchased under a volume license agreement from Adobe or from a reseller, such as Intergral. Just be aware that when you then want to move to CF2021, you would need to pay its upgrade price, since technically you "bought" and used CF2018.)
- Finally, some will want to point out that still another option is to leave Adobe ColdFusion entirely and move to Lucee, the open source CFML engine. More on that in a moment.
So which choice is "right" for you again "depends".
Locking down the CF Admin
Update: On the Ortus Modernize of Die podcast episode the morning after I posted this, co-host Brad Wood made a great observation that since the issue identified in the CVE was specifically about hacks that were exploiting URLs in the CF admin--even if one could not log into it. I thought I would note that and add this subsection.
As another thing one "could" and indeed "should" do, you can block your CF Admin from public access, which if done carefully and completely will help with this attack and still others.
FWIW, CF2016 and above do that automatically: literally blocking access to the CF Admin URLs if attempted through the web server connector. (And Brad noted that later versions of Commandbox also implement a prod mode by default, which blocks Admin access therefore by default.)
But in CF11 and earlier, the web server connector tool created a CFIDE folder in each site that was connected. There are several things one can do to block that, or at least the CFIDE/administrator URLs.
And the CF Lockdown guide (available even in CF9 and since) addresses such options. As for finding those, I had done a post back in 2014 pointing to the lockdown guides for CF11, 10, and 9. And as I note there, I list links to them for all versions in the "Security Resources" category of my CF411 site. Anyone still running an old CF version should indeed make sure that their CF admin is protected (by more than just its password.)
On migrating CF versions or engines
If you may consider one of the last couple of choices in the "what should you do" section above, note that migrating from one CF version to another can be challenging, and all the more when you may skip multiple versions, or when considering changing from CF to Lucee.
As for CF, Adobe does strive to maintain backward compatibility (to a fault, in the eyes of some), but even so there's a wide range of possible results in attempting such a migration. Some folks find that even such a "large leap" can go surprisingly well, while others may have to address some compatibility issues which may be few but perhaps occurring repeatedly in their codebase, and still others find the migration to seem "impossible". Usually, even such "impossible" migration issues can be overcome.
Fortunately, you can obtain a free trial or Developer edition of ColdFusion (offered on the Adobe CF product page), and you can even implement a new CF version alongside an old version on the same machine (if you may have only one), so that you can test against both at the same time.
Of course, the same challenges of "migrating engines" applies of course to moving to Lucee. While an advantage is indeed that it's free for production use, someone making the move to it would still face the range of possible migration impacts: some will have none, most will have some, some will have many, and still others will feel it's "impossible". So it's not clearly "the right choice" for everyone, but it is an option some will want to consider.
Finally, some may use all this as "last nail in CF's coffin" to move off of it, but it should be noted again that a) Adobe still fully supports CF (and is already at work on the next release to follow CF2021) and b) there is the open source option in Lucee. Both products have strong community support. And also, I can help as discussed below.
About the attacks
The attacks garnering industry attention have implemented what's known as the Cring ransomware, which in the past has also been used to attack vulnerable versions of remote desktop protocol (RDP) and VPN software. For more on Cring, see articles such as this.
Yet another article discussing the attack offers general mitigation efforts for ransomware (applying to virtually any software), though the article also mentions the recent Cring attacks on old CF versions.
Getting help on these things
Besides the resources I've shared above (including community support resources), I want to offer as well that I can help with solving all the above, and indeed pretty much any problem related to using CF (or Lucee), from updating to upgrading (including updating the JVM that CF uses), migrating to newer CF versions, tuning and troubleshooting, deploying CFML in containers, and still more. For more information, see my consulting page.
Or of course, I welcome comments and questions below. That said, let's please keep comments focused on this issue. I ask folks to please refrain from using this post as a place to vent general frustrations with Adobe or CF or CFML, etc. or against those who still choose to use it.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
There are no comments for this entry.
[Add Comment]