I have a few questions about Coldfusion, specifically for me 9.0.1, regarding Java. I updated the JVM for Coldfusion in the past due to a vulnerability to a version that was sanctified by Adobe to use, version 1.6.0_24. This was the vulnerability: CVE-2010-4476
So first is this particular vulnerability, CVE-2012-1723, applicable to the Coldfusion server? Second, what is the current version of Java sanctified by Adobe? Last, what are the consequences of using a non-sanctified version of Java with Coldfusion?
Adobe has not "certified" ColdFusion 9 on a newer version of the JVM than version 1.6.0_24. The unofficial word on the street is that Adobe support will still work with you if you have a newer JVM, though they might ask you to roll it back to 1.6.0_24. Adobe has only certified a new version of a JVM outside of a major release twice to my recollection, the first time was when the day light savings time rules changed, and the second was the DOS vulnerability that exists in versions prior to 1.6_0_24. Adobe will be supporting Java 7 for CF9 and 10 due to Java6 EOL as per this blog entry: http://blogs.coldfusion.com/post.cfm/java-7-support-for-coldfusion The vulnerability CVE-2012-1723 allows for bypass of the java security sandboxs, so this might be something you would be concerned about on a ColdFusion server... if you have sandbox security turned on.
Thanks Peter. The feature or setting(s) of the Coldfusion server that exposes leverage to this vulnerability is what I was looking for. Hope this also assists others in deciding how to address it for their environment.
Europe, Middle East and Africa