Important Java Security Patch Released

February 09, 2011
coldfusionjava

Oracle has just released a patch for a critical denial of service vulnerability (CVE-2010-4476) in the Java Runtime.

I have confirmed that this is easily exploited on a ColdFusion server running an unpatched JVM. It's very very probable that you have code that could be exploited.

Any code that run's Java's floating point number parser is vulnerable, so ColdFusion code such as:

<cfparam name="url.x" type="numeric">

When given a malicious input it will cause the processing thread to go into an infinite loop.

Oracle released a new JVM on Feb 15th which will include this patch among others. Java 1.6.0_24 has been certified by Adobe for use on ColdFusion 8.0-9.0.1

I'd like to add a scanner for this on HackMyCF but doing so would crash your server, so I won't be doing that :)

Update We have added a probe feature available to paid subscribers of HackMyCF which will alert you when you need to update your JVM.


| Add Comment | add to del.icio.us | Tags: ,

Related Entries

2 people found this page useful, what do you think?

 Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 785/E41527206F595ACE2DC581AD36CE3FB9

Comments

On 02/09/2011 at 3:42:15 PM EST Dave Cordes wrote:
1
Any instructions on how to apply this patch to ColdFusion? Is Adobe going to release a patch as well?

On 02/09/2011 at 3:46:19 PM EST Pete Freitag wrote:
2
@Dave - Since this is really a Java issue, I would not expect Adobe to release a patch, but I could be wrong, I'm not Adobe :)

The instructions to apply the patch are here: http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html there isn't much that would be different for ColdFusion server, you just need to make sure that you are updating the JVM that ColdFusion is using.

On 02/09/2011 at 5:11:03 PM EST Dave Cordes wrote:
3
Thanks for the response. What's best practice for updating the JVM? Using the standard JVM that was installed with ColdFusion and updating it or using the latest version which is installed separately?

For example if ColdFusion was installed on D:\ColdFusion8 the default JVM path would be D:\ColdFusion\runtime\jre.

Is it best practice to install each new JDK such as D:\Java\jdk1.6.0_23\ and use D:\Java\jdk1.6.0_23\jre as the JVM path?

On 02/09/2011 at 6:02:47 PM EST Pete Freitag wrote:
4
@Dave - I personally prefer to install the latest JVM from Oracle. The JVM that ships with CF (especially CF8) will have other security issues, though they may not be as easy to exploit as this one is.

On 02/10/2011 at 6:16:23 AM EST Tom Chiverton wrote:
5
It's not as easy to trigger as I feared though. I just tried one of our remote-enabled CFC calls on the dev. CF9.0.1 system, and it's perfectly happy.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?



Archives:
2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002