Digital Edition

SYS-CON.TV
Workaround Issued For Newly-Discovered Vulnerability In ColdFusion 6.1
ColdFusion 7.0 - CFMX 7 - Is Not Affected

Although ColdFusion 7.0 is not affected, a vulnerability which if exploited would allow malicious native-code to execute, potentially without a user being aware, has been discovered in the ColdFusion MX 6.1 Updater. Macromedia has issued what is calls "a workaround addressing the problem" and notes that this issue will be fixed in the next updater.

The details of the vulnerability are as follows:

The ColdFusion MX 6.1 Updater renames the /jrun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfclasses directory to cfclasses-backup but does not recreate the ..../cfusion-war/WEB-INF/cfclasses directory. After restarting the ColdFusion server, subsequent requests compile .cfms and place the .class files incorrectly under the web server root in a newly created /WEB-INF/cfclasses directory, rather than under the application root /jrun4/.../cfusion-war/WEB-INF/cfclasses.

Macromedia categorizes this issue as a "critical" update and recommends users immediately patch their installations. The company thanked Sean Waddell from ESP Group "for reporting this vulnerability and for working with us to help protect our customers' security."

 

About ColdFusion News Desk
CFDJ News Desk monitors the world of ColdFusion to present developers with updates on technology advances, new features and performance enhancements concerning ColdFusion, business trends, ColdFusion-related products, standards discussions, and industry commentary.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1



ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an over...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily ...
The need for greater agility and scalability necessitated the digital transformation in the form of ...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - w...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Ser...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know ...
"Since we launched LinuxONE we learned a lot from our customers. More than anything what they respon...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every ...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting ch...
While some developers care passionately about how data centers and clouds are architected, for most,...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy hig...
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis too...
"Cloud4U builds software services that help people build DevOps platforms for cloud-based software a...
The question before companies today is not whether to become intelligent, it’s a question of how and...
Kubernetes is an open source system for automating deployment, scaling, and management of containeri...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't com...
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for ma...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't com...