3 Replies Latest reply on May 29, 2013 3:42 AM by winkelmann

    CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???

    winkelmann

      Hello; I have a question regarding the Coldfusion Security Bulletin APSB13-03 for ColdFusion 10, 9.0.2, 9.0.1 and 9.0.

      Is this hotfix also availablefor Coldfusion 8.01? We use the Coldfusion 8.01 enterprise version.

      Patched on the last available hotfix APSB12-21 -> Security update: Hotfix available for ColdFusion 10 and earlier.

       

      By regulary scanning our systems a finding regarding CVE-2013-0632 was found by the scanners, to resolve with APSB13-03.

      Is APSB13-03 available for Coldfusion 8.01? Core support ends 7/31/2012 (the last hotfix for cf 8 wa from 11/2012!)

      But extended Support reaches until 7/31/2014.

      frank

        • 2. Re: CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???
          Adam Cameron. Level 5

          There will be no further patches released for CF8. As per the posting above, it's past it's "use by" date, basically: once it's out of "core support", there are no more patches. The "extended support" only counts if you are on the paid-for support programme for which that is relevant. Basically you pay Adobe some money for the possibility of being able to pay them even more money for them to fix their bugs.

           

          However, for all these recent vulnerabilities that have been found, if you have run through the lockdown guide (which is essential to do for all public-facing servers as a matter of course anyhow) then the vulnerability is basically mitigated. The "vulnerabilities" are only really "vulnerabilities" on insecure servers.

           

          That said: don't take my word for it, do some reasearch and draw your own conclusions. I say this only because I don't want to be seen to be pronouncing about Adobe's support and CF's vulnerabilities, because I don't want someone to get hacked adn refer back here and go "but that bloke Adam said..." ;-)

           

          --

          Adam

          • 3. Re: CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???
            winkelmann Level 1

            Thanks;

             

            You wrote exactly my thoughts )

             

            Mit freundlichen Grüßen

            Frank Winkelmann

             

            Siemens AG

            Corporate Information Technology

            Corporate Automation

            CIT CA HS 1 4

            Hugo-Junkers-Str. 9

            90411 Nürnberg, Deutschland

            Tel. Geschäftlich: 091145051290

            Tel. Mobil: 015254690615

            mailto:frank.winkelmann@siemens.com

             

            Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme; Vorstand: Peter Löscher, Vorsitzender; Roland Busch, Brigitte Ederer, Klaus Helmrich, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen, Michael Süß; Sitz der Gesellschaft: Berlin und München, Deutschland; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684; WEEE-Reg.-Nr. DE 23691322

             

             

            Von: Adam Cameron. forums_noreply@adobe.com

            Gesendet: Mittwoch, 29. Mai 2013 12:29

            An: Winkelmann, Frank

            Betreff: CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???

             

            Re: CVE-2013-0632, Hotfix APSB13-03 for Coldfusion 8 ???

            created by Adam Cameron.<http://forums.adobe.com/people/Adam+Cameron.> in ColdFusion - View the full discussion<http://forums.adobe.com/message/5361018#5361018