Important Java Security Patch Released
Oracle has just released a patch for a critical denial of service vulnerability (CVE-2010-4476) in the Java Runtime.
I have confirmed that this is easily exploited on a ColdFusion server running an unpatched JVM. It's very very probable that you have code that could be exploited.
Any code that run's Java's floating point number parser is vulnerable, so ColdFusion code such as:
<cfparam name="url.x" type="numeric">
When given a malicious input it will cause the processing thread to go into an infinite loop.
Oracle released a new JVM on Feb 15th which will include this patch among others. Java 1.6.0_24 has been certified by Adobe for use on ColdFusion 8.0-9.0.1
I'd like to add a scanner for this on HackMyCF but doing so would crash your server, so I won't be doing that :)
Update We have added a probe feature available to paid subscribers of HackMyCF which will alert you when you need to update your JVM.
- Java Unlimited Strength Crypto Policy for Java 9 or 1.8.0_151 - October 19, 2017
- Java 9 Security Enhancements - September 21, 2017
- HashDOS and ColdFusion - December 30, 2011
- Java 1.6.0_24 Released Patches DOS Vulnerability - February 16, 2011
- Using AntiSamy with ColdFusion - August 5, 2010
The instructions to apply the patch are here: http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html there isn't much that would be different for ColdFusion server, you just need to make sure that you are updating the JVM that ColdFusion is using.
For example if ColdFusion was installed on D:\ColdFusion8 the default JVM path would be D:\ColdFusion\runtime\jre.
Is it best practice to install each new JDK such as D:\Java\jdk1.6.0_23\ and use D:\Java\jdk1.6.0_23\jre as the JVM path?
- Travis CI Error when installing oraclejdk8
- Tuning Tomcat IIS Connectors worker.properties and server.xml
- Push Tomcat logs with the AWS CloudWatch Logs Agent
- Sending nginx access logs to CloudWatch Logs Agent
- Setup CloudWatch Logs Agent on Ubuntu 18.04 LTS
- Tomcat Virtual Directory Howto
- Communications link failure MySQL JDBC with TLS
- Redirect www and non https in IIS using web.config