Pete Freitag Pete Freitag

Important Java Security Patch Released

Updated on December 07, 2023
By Pete Freitag

Oracle has just released a patch for a critical denial of service vulnerability (CVE-2010-4476) in the Java Runtime.

I have confirmed that this is easily exploited on a ColdFusion server running an unpatched JVM. It's very very probable that you have code that could be exploited.

Any code that run's Java's floating point number parser is vulnerable, so ColdFusion code such as:

<cfparam name="url.x" type="numeric">

When given a malicious input it will cause the processing thread to go into an infinite loop.

Oracle released a new JVM on Feb 15th which will include this patch among others. Java 1.6.0_24 has been certified by Adobe for use on ColdFusion 8.0-9.0.1

I'd like to add a scanner for this on HackMyCF but doing so would crash your server, so I won't be doing that :)

Update We have added a probe feature available to paid subscribers of HackMyCF which will alert you when you need to update your JVM.

Also, today you should not be running Java 1.6. Take a look at some current info showing which java lts versions Oracle supports, and which versions of java coldfusion currently supports today.

java security

Important Java Security Patch Released was first published on February 09, 2011.

If you like reading about java, or security then you might also like:


The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.

Try Fixinator

The weekly newsletter for the CFML Community


@Dave - Since this is really a Java issue, I would not expect Adobe to release a patch, but I could be wrong, I'm not Adobe :)

The instructions to apply the patch are here: there isn't much that would be different for ColdFusion server, you just need to make sure that you are updating the JVM that ColdFusion is using.
by Pete Freitag on 02/09/2011 at 1:46:19 PM UTC
@Dave - I personally prefer to install the latest JVM from Oracle. The JVM that ships with CF (especially CF8) will have other security issues, though they may not be as easy to exploit as this one is.
by Pete Freitag on 02/09/2011 at 4:02:47 PM UTC
It's not as easy to trigger as I feared though. I just tried one of our remote-enabled CFC calls on the dev. CF9.0.1 system, and it's perfectly happy.
by Tom Chiverton on 02/10/2011 at 4:16:23 AM UTC