October 19, 2018
Top 5 Security Issues Solved with Adobe ColdFusion 2018
October 19, 2018
Top 5 Security Issues Solved with Adobe ColdFusion 2018
Host CF Alive podcast, founder CFUnited, CEO TeraTech
Wizard 49 posts
Followers: 15 people

The Conficker Worm of 2008

In 2008, The Conficker worm program (also known as the Downadup worm) replicated itself across computers around the world and is still alive to this day. It turns your computer into a spam machine and monitors your sensitive information through keystroke logging. This info is then sent back to its programmers for their use. This worm defends itself by disabling your antivirus software. This worm continues to open backdoors for future hostile takeovers.

The Conficker Worm lays bare a truth about system security. No system is 100% secure. However, the good folks at Adobe do their best at locating and eliminating security issues as they arise. Adobe has found and addressed these top 5 major security issues moving towards the commercial release of ColdFusion 2018. Since these issues have been properly dealt with, you can rest easy when transitioning into Adobe ColdFusion’s latest version.

“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge.”

– Bruce Schneier, Security Author

Priority and Severity Ratings According to Adobe


Before we get into what the security problems actually are, we need to understand Adobe’s degrees of importance. Adobe breaks down potential threats and security risks into two separate scales.

Priority Scale

The priority scale evaluates the risk associated with each vulnerability in question. The priorities are based on a number of factors including types of vulnerabilities, historic attack patterns, and platforms affected. The scale has 3 separate levels with recommended timelines for remedy. Adobe’s scale is as follows:

  • Priority 1:
  • This update resolves around targeted ColdFusion vulnerabilities, or which have a higher target risk, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (within 72 hours).
  • Priority 2:
  • This update resolves vulnerabilities in ColdFusion that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (within 30 days).
  • Priority 3:
  • This update resolves vulnerabilities in CF that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.

Severity Scale

The Adobe severity scale helps you determine the security impact of each vulnerability.

Critical A CF vulnerability, which, if exploited would allow malicious native-code to execute, without a user being aware. Important A CF vulnerability, which, if exploited would compromise data security. This allows access to confidential data, or could compromise processing resources in a user’s computer. Moderate A CF vulnerability that is limited to a significant degree by factors such as default configuration, auditing, or is difficult to exploit.

Deserialization of Untrusted Data (CVE-2018–4939)

Adobe’s Severity Scale: Critical

To explain deserialization, one must first understand what serialization is and why it is done. Serialization is when an object is turned into data form for later use. Individuals serialize objects in order to send in communications or to save them in storage. Deserialization is exact opposite of that- to turn data back into objects. Currently, JSON (JavaScript Object Notation) is the most popular format for serialization and XML (eXtensible Markup Language) before that. Now, most programming platforms have some form of native serialization. ColdFusion is no exception. ColdFusion has built-in CFML to JSON serialization.

Serialization and deserialization can be very convenient for programmers. However, deserialized data can be modified without using accessor functions if not used with proper cryptography. This leads to corrupt and untrusted data. If a developer begins the deserialization process with corrupted data, attackers can force the data and object to perform unauthorized functions. The major vulnerability for Deserialization of Untrusted Data is for Remote Code Execution. Remote code execution is the ability to trigger arbitrary code execution from a remote platform, such as another physical machine.

Unsafe XML External Entity Processing (CVE-2018–4942)

Adobe’s Severity Scale: Critical

XML stands for eXtensible Markup Language. It defines a set of rules for encoding documents into a format that is both user-readable and machine-readable. Even though XML focuses primarily on documents, the language is often used for arbitrary data structures such as those used in web applications. XML has become very common for the interchange of data over the internet.

XML External Entity Processing attacks are attacks against applications that parse XML input. These attacks mainly occur due to weakly configured parsers processing XML input pertaining to an external entity. These attacks can lead to the following vulnerabilities:

  • Confidential Information Disclosure
  • Denial of Service
  • Server Side Request Forgery
  • Port Scanning from the Perspective of the Machine where the Parser is Located

Insecure Library Loading (CVE-2018–4938)

Adobe Severity Scale: Important

This vulnerability is due to improper dynamic loading of Adobe ColdFusion libraries. Dynamic loading is the process by which an application can attach a shared library to the address space during process execution. Dynamic loading also allows for function address lookup and subsequent detachment of shared libraries after calling upon the function.

Previously, in order to dynamically load Java into ColdFusion, it required a third party Java Library platform such as JavaLoader. Since the advent of ColdFusion 10, CF has the native ability to load Java libraries without the use of a third party organization. ColdFusion automatically updates libraries every 30 seconds without requiring a restart.

This is a great and convenient feature that comes along with ColdFusion. However, if there is an insecure library loading process, your CF apps become very vulnerable. This vulnerability can lead to malicious attackers to allow for arbitrary code execution and local privilege escalation. Privilege escalation is when an improper design configuration is exploited in order to gain elevated access to information not normally reserved for users.

Cross Site Scripting- Code Injection (CVE-2018–4940)

Adobe’s Severity Scale: Important

Cross Site Scripting (XSS) attacks are a form of code injection in which malintented scripts are injected into otherwise harmless and trusted websites. XSS attacks happen when an attacker sends bad code via web app to a different end user. Areas that allow these forms of attack occur wherever a web app allows user input within the output it generates without validation.

This can lead to code injection, But, what exactly is code injection? Code injection is the use of a computer bug created via processing invalid data. An attacker then uses “injection” to insert malicious coding into a web app. This can completely change the flow of execution. Code Injection can lead to access denial, corrupted data, loss of data, and loss of accountability. Extreme cases even allow for a complete takeover of the hosting web app.

ColdFusion can also be subject to SQL code injection attacks. SQL injection is where your SQL statements change to complete different functions than originally stated. Updating, deleting, or adding records to your database are just some effects of an SQL Injection. Any dynamically loaded websites may experience unowned content to be loaded or be redirected to another site via JavaScript. Using cfqueryparam can help to prevent SQL attacks.

As CF author Ben Forta says about SQL code injection at forta.com:

“I was just on a web site browsing for specific content. The URLs used typical name=value query string conventions, and so I changed the value to jump to the page I wanted. And I made a typo and added a character to the numeric value. The result? An invalid SQL error message.

That’s bad. Very very bad. It means that I was able to create a SQL statement that was submitted to the database for processing, a SQL statement that was passed to the database as is, unchecked.”


Cross Site Scripting- Information Disclosure (CVE-2018–4941)

Adobe’s Severity Scale: Important

Another XSS security vulnerability was corrected by Adobe. This particular error allowed for improper information disclosure. Information disclosure is when an application fails to protect sensitive information from unauthorized parties. Most types of information disclosure are not directly exploitable. However, these vulnerabilities allow attackers to gain more information to use in the event of a large scale long term attack.

There are different types of information disclosure including the following:

  • Source Code Disclosure
  • These types of issues arise when the source code of an application is exposed to the public. The severity of these issues are based on the criticality of lines of code exposed and how much as actually been made available. Source code disclosures may be caused by a number of ways including Unprotected Public Code Repositories and Incorrect MIME types.
  • File Name and File Path Disclosure
  • Sometimes web apps may disclose file names and paths allowing for the structure of web app to be revealed. This often happens due to improper user data handling, incorrect config of the web server, and exceptions on the backend.
  • Banner Grabbing and Active Reconnaissance
  • This is an active attack in which malicious parties send requests to a system in order to gain more information about it. Normally banner grabbing gains information that the attacker can use for exploitation throughout the course of the attack vice critical pieces of information. This can find known vulnerabilities of the server which may be used later.

Summary of Issues Solved

These 5 important issues were solved in April 2018 in the ColdFusion 2018 Beta. As more security issues arise and as Beta development continues, more located security issues will be addressed by Adobe. When CF2018 is finally released, the commercial version will be up-to-date with all previous security fixes from both the beta and CF 2016.

Resolution of Security Breach

According to the Center of Internet Security, you should perform these actions if your system is affected:

  • Install the updates provided after appropriate testing.
  • Run all software as a non-privileged user to minimize effects of attack.
  • Remind users not to visit websites or follow links provided by untrusted sources.
  • Educate users of the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

Best Practices to Prevent Security Issues

Fortunately for developers, there are ways to prevent these types of acts along with Adobe’s remedy releases. By following best practices, you can minimize initial attacks.

Here are 8 Best Practices you should deploy when securing your ColdFusion platform:

  • Understand Basic ColdFusion
  • This sounds like a no-brainer, but failure to understand your platform can lead to gross amounts of human error. Human error can lead to an obscene degree of improper coding and that carries over to security concerns as well.
  • Write in Security
  • By writing secure code and implementing security in the design, you can minimize the amount of attacks. However, if the attack does occur and extra level of cryptography or security will minimize the effects of the attack.
  • Ensure your Security
  • Be careful to maintain proper code design. When coding is complete, be sure to use proper security testing to make sure your system is as secure as you believe it is.
  • Secure Deployment
  • Along with proper testing, use security tools that will further hamper malicious attacks on your software. Sometimes, an extra layer of security will do the trick.
  • Verify Code Compliance
  • Compliances are set for a reason. Make sure your codes are up to snuff when publishing to catch easily preventable attacks.
  • Train Yourself and Your Team
  • Cybersecurity is an ever-changing battlefield. Stay up-to-date on current threats and the countermeasures for them. Continue to train yourself and your team for the current standards for program developing.
  • Update your Platform
  • When ColdFusion releases new security updates…UPDATE. Many web app attacks could have been easily prevented by keeping your platform updated. No need to undergo a full security troubleshoot due to simple complacency. Stay vigilant with your security updates.
  • Backup regularly
  • Be sure to perform regular backups of your OS and Databases

Remember, no system is 100% secure. But, that does not mean you cannot stay prepared for what may come. These 5 corrections to security vulnerabilities are just a few of the great reasons to keep up with the release of ColdFusion 2018. The more secure your ColdFusion platform is, the more secure your code will be. Maintaining security the right thing to do for your web apps, clients, and code. If ever you should experience any unlisted security issues with ColdFusion, immediately inform Adobe. This is will prompt them to start work as soon as possible in order to secure our CF development future. Along with Adobe, tell the CF community. Perhaps other users are experiencing similar problems. The CF community is close knit and may have solutions to your issue.

Have you experienced any of these security vulnerabilities? How were you able to overcome them? Join us in the comments below.


The only form on cloud pricing that is available currently on AWS where you can pay by the hour — They will soon have CF 2018 on AWS too.

Originally published at teratech.com on October 19, 2018.

Add Comment