Skip navigation
D@yzW0rk
D@yzW0rk
Currently Being Moderated

Coldfusion and the Java CVE-2012-1723 vulnerability.

Aug 9, 2012 4:43 PM

Tags: #java #vulnerability

I have a few questions about Coldfusion, specifically for me 9.0.1, regarding Java.  I updated the JVM for Coldfusion in the past due to a vulnerability to a version that was sanctified by Adobe to use, version 1.6.0_24.  This was the vulnerability: CVE-2010-4476

 

So first is this particular vulnerability, CVE-2012-1723, applicable to the Coldfusion server?  Second, what is the current version of Java sanctified by Adobe?  Last, what are the consequences of using a non-sanctified version of Java with Coldfusion?

775 Views   2 Replies   Latest reply: D@yzW0rk, Aug 10, 2012 10:01 AM
 
Replies
  • Peter Freitag
    Currently Being Moderated
    1. Peter Freitag,
    Aug 9, 2012 8:20 PM   in reply to D@yzW0rk
    Report

    Adobe has not "certified" ColdFusion 9 on a newer version of the JVM than version 1.6.0_24. The unofficial word on the street is that Adobe support will still work with you if you have a newer JVM, though they might ask you to roll it back to 1.6.0_24.   Adobe has only certified a new version of a JVM outside of a major release twice to my recollection, the first time was when the day light savings time rules changed, and the second was the DOS vulnerability that exists in versions prior to 1.6_0_24.  Adobe will be supporting Java 7 for CF9 and 10 due to Java6 EOL as per this blog entry: http://blogs.coldfusion.com/post.cfm/java-7-support-for-coldfusion  The vulnerability CVE-2012-1723 allows for bypass of the java security sandboxs, so this might be something you would be concerned about on a ColdFusion server... if you have sandbox security turned on.

     
    |
    Mark as:
  • D@yzW0rk
    Currently Being Moderated
    2. D@yzW0rk,
    Aug 10, 2012 10:01 AM   in reply to Peter Freitag
    Report

    Thanks Peter.  The feature or setting(s) of the Coldfusion server that exposes leverage to this vulnerability is what I was looking for.  Hope this also assists others in deciding how to address it for their environment.

     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points