Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

But note first that the security aspect applies only to those running CF on Windows (and even then not ALL users of CF on Windows, as I will explain).

Then again, the update also includes a bug fix to a CF Admin, for a UI issue (related to updates, in fact), and if you need that, then you do want the fix (regardless of your OS).

So who needs it? If you need a little more guidance, I offer some clarification, as well as links from Adobe for more.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

In this post (updated in Oct 2023, for reasons discussed below), I discuss:

• Knowing when a connector upgrade is needed
• How to apply the connector upgrade, via the wsconfig gui or commandline
• What updating the web server connector actually does

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Update (Nov 20, 2019): Adobe announced today that they'd come out with the "final" versions of this pair of "preview" updates. If you already applied either one, you don't need to do the update, as they are unchanged from the preview. But do note that if you changed your CF Admin update "settings" feature to point to the new "preview" feed url, you should use the button there to revert back to the default update feed url.

Adobe has announced today (Nov 13, 2019) new preview updates for ColdFusion 2016 (preview update 13) and 2018 (preview update 6).

https://coldfusion.adobe.com/2019/11/preview-builds-coldfusion-2018-release-update-6-and-coldfusion-2016-release-update-13-released

These updates address issues reported with the Sept 2019 updates (which I was tracking and warned about when the update was released). If you experienced any of those or other issues discussed in Adobe's post, you should try out the new updates while they are in this preview mode (to share with Adobe any remaining concerns) over the next couple of weeks.

Notice also my initial comment in that Adobe post, with a couple of potentially important reminders regarding the preview, as well as a reminder of my plea for a new approach to updates that would allow one to select to get only the latest security updates of a new update (deferring any bug fixes or new features to the next update), which could have helped many in the case of the Sept updates, that had so many issues seemingly caused by new features and bug fixes.

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

There is precedent for the proposal I am making, in the way Oracle has in the past handled this problem with Java updates. Let me explain.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Update (Nov 20, 2019): Adobe announced today that they'd come out with a new set of updates to fix the problems in the Sep 24 updates. Today's updates address the various issues reported below about the Sept update. It's important to proceed with performing the updates, for the benefit of the security updates as I discussed below back in Sept.

I shared here Tuesday the news that Adobe had announced there were new updates for CF2018 and 2016, released that day.

But as has happened every few releases, a lot of folks are reporting various problems, enough for me to say that folks may want to hold off on applying these updates, which I realize is a risky proposition since the update includes security fixes.

For more, read on.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

As an update to this post, I have offered a new post, pointing out that many people are having problems with this set of updates here. So I would recommend folks hold off on applying it for now. I will update this (and that) if we hear new info from Adobe.

Beyond adding important security and bug fixes as seems typical, this update offers several new or changed features, as well as updated support for things (such as Java 12), as is also often the case.

Uniquely, though, this update is the first ever to require that you must first have updated to the PREVIOUS update before applying this new one. So those on CF2018 must first be on update 4 before going to this new update 5, while those on CF2016 must be first on update 11 before going to this new update 12.

As always, I share a bit more here, for my readers.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

And I share a bit more here, for my readers.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

And if you HAVE already read part 1, if it was before Saturday morning, do go back and reread it. I had added some important info that I thought shouldn't wait to Part 2, which I knew could take me a while. See especially the sections there, "A brief introduction to the vulnerability and the fix", "Should you be worried?", and "What if you can't apply the update immediately, and can't wait for part 2?".

And my apologies for the delay in getting part 2 out. For various reasons, including related to additional research work I'm doing on this exploit beyond CF, I was unable to post this then. Better late than never, I hope. Indeed, I had listed quite a lot in Part 1 that I hoped to cover in a part 2. I don't want to delay getting this out any later, so I will get done today what I can and post that, and carry over into a part 3 (or beyond) whatever remains. There are some natural breaks, fortunately. Thanks for your patience.

Following are what I cover here in Part 2:

• More detail about the vulnerability and what was "fixed"
• Wouldn't an antivirus package on the server detect this sort of trojan?
• How to add further protection from it (especially if you may be unable to implement the update for some reason)
• Considering running a security scan of your CFML code
• Consider implementing a web application firewall
• How to prevent execution of the files used in the attack, if they may already be on your server
• Another benefit of applying the latest updates
• What about Lucee?

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

All CF shops are urged to install this update immediately, to implement new protections against a known attack happening in the wild. It's identified in the associated Adobe Product Security Bulletin, APSB19-14, as a priority 1 critical vulnerability.

I will add that I can vouch personally for the significance of the vulnerability, as I reported it to the Adobe Product Security Incident Response Team (PSIRT), and I proposed the fix which was implemented. (I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don't want this to happen to you.) I plan to share much more in a part 2 post (now posted, but do see below for the context it builds upon).

(In the meantime, I have tweaked this part 1 since originally posting it, to share more here.)

[....Continue Reading....]