CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???

Report · May 28, 2013

Hello; I have a question regarding the Coldfusion Security Bulletin APSB13-03 for ColdFusion 10, 9.0.2, 9.0.1 and 9.0.

Is this hotfix also availablefor Coldfusion 8.01? We use the Coldfusion 8.01 enterprise version.

Patched on the last available hotfix APSB12-21 -> Security update: Hotfix available for ColdFusion 10 and earlier.

By regulary scanning our systems a finding regarding CVE-2013-0632 was found by the scanners, to resolve with APSB13-03.

Is APSB13-03 available for Coldfusion 8.01? Core support ends 7/31/2012 (the last hotfix for cf 8 wa from 11/2012!)

But extended Support reaches until 7/31/2014.

frank

Report · May 29, 2013

APSB13-03 does not seem to be available for CF 8 :

http://www.adobe.com/support/security/bulletins/apsb13-03.html

Report · May 29, 2013

There will be no further patches released for CF8. As per the posting above, it's past it's "use by" date, basically: once it's out of "core support", there are no more patches. The "extended support" only counts if you are on the paid-for support programme for which that is relevant. Basically you pay Adobe some money for the possibility of being able to pay them even more money for them to fix their bugs.

However, for all these recent vulnerabilities that have been found, if you have run through the lockdown guide (which is essential to do for all public-facing servers as a matter of course anyhow) then the vulnerability is basically mitigated. The "vulnerabilities" are only really "vulnerabilities" on insecure servers.

That said: don't take my word for it, do some reasearch and draw your own conclusions. I say this only because I don't want to be seen to be pronouncing about Adobe's support and CF's vulnerabilities, because I don't want someone to get hacked adn refer back here and go "but that bloke Adam said..." 😉

--

Adam

Report · May 29, 2013

Thanks;

You wrote exactly my thoughts )

Mit freundlichen Grüßen

Frank Winkelmann

Siemens AG

Corporate Information Technology

Corporate Automation

CIT CA HS 1 4

Hugo-Junkers-Str. 9

90411 Nürnberg, Deutschland

Tel. Geschäftlich: 091145051290

Tel. Mobil: 015254690615

mailto:frank.winkelmann@siemens.com

Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme; Vorstand: Peter Löscher, Vorsitzender; Roland Busch, Brigitte Ederer, Klaus Helmrich, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen, Michael Süß; Sitz der Gesellschaft: Berlin und München, Deutschland; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684; WEEE-Reg.-Nr. DE 23691322