Accessibility

Security Bulletin

MPSB05-12 Sandbox Security and CFMAIL Vulnerability in ColdFusion MX 6.X

Originally posted: December 15, 2005

Summary

This bulletin addresses two (2) privately reported security issues with ColdFusion 6.X.

Affected Software Versions

  • ColdFusion MX 6.0
  • ColdFusion MX 6.1
  • ColdFusion MX 6.1 with JRun

Severity Rating

Adobe categorizes this issue as a important issue and recommends users patch their installations.

Details

This cumulative security rollup contains the following security patches:

  • JRun Clustered Sandbox Security Vulnerability.
    • ColdFusion Sandbox security relies on the Java SecurityManager.  When ColdFusion is running on a JRun 4 cluster member and the SecurityManager is disabled, Sandbox security silently fails without throwing an exception. With Sandbox security disabled a remote attacker using an application setup to use Sandbox security could potentially bypass security controls.
  • CFMAIL injection Vulnerability. 
    • An application written to use the CFMAIL tag could be used to attach arbitrary files and send mail with any content. This is due to weak input validation in the "Subject" field.

Solution

These security fixes first require the installation of the ColdFusion MX 6.1 Updater.

Adobe has released a set of hotfixes to address both security issues.

NOTE: Back up your existing files before making changes. As always, test the changes in a non-production environment before applying the changes to production servers.

ColdFusion MX 6.0

ColdFusion MX 6.1

  1. Stop ColdFusion MX
  2. Download Download the hotfixes (ZIP, 29 KB)
  3. Apply the hotfixes:
    • 60679 - Sandbox security hotfix
    • 61098 - CFMAIL "Subject" injection hotfix

Follow the instructions below to install the hotfix for ColdFusion MX 6.1 in the server configuration, as well as for ColdFusion MX 6.1 J2EE configuration with JRun. For J2EE servers other than JRun, use the instructions under the J2EE Configuration section.

Windows

  1. Stop ColdFusion.
  2. Server Configuration only: Create the directory cf_root\runtime\servers\lib if it does not exist. This step is not necessary for J2EE Configuration with JRun.
  3. Download Download the hotfixes (ZIP, 29 KB). Place both jar files into the following directory:
      Server Configuration: cf_root\runtime\servers\lib\
      J2EE Configuration with JRun: jrun_root\servers\lib
  4. Restart ColdFusion.
  5. Examine the ColdFusion MX Administrator System Information page and confirm that hf60679_611.jar and hf61098_611.jar show in the Java Class Path list.

Unix

  1. Stop ColdFusion.
  2. Server Configuration only: Create the directory cf_root/runtime/servers/lib if it does not exist. This step is not necessary for J2EE Configuration with JRun.
  3. Download Download the hotfixes (ZIP, 29 KB). Place both jar files into the following directory :
      Server Configuration: cf_root/runtime/servers/lib/
      J2EE Configuration with JRun: jrun_root/servers/lib

  4. Server Configuration only: Edit the file cf_root/runtime/bin/jvm.config:

    1. Locate the JVM classpath section.
    2. Add {application.home}/runtime/servers/lib as the first entry in the java.class.path list.

      For example: 
    5.  # JVM classpath
       java.class.path={application.home}/runtime/servers/lib,
       {application.home}/runtime/../../src,
       {application.home}/lib/cfusion.jar,
       {application.home}/runtime/lib/webservices.jar
       
  5. J2EE Configuration with JRun only: Verify that {application.home}/servers/lib is the first entry in the java.class.path list in jrun_root/bin/jvm.config.
  6. Restart ColdFusion.
  7. Examine the ColdFusion MX Administrator System Information page and confirm that hf60679_611.jar and hf61098_611.jar show in the Java Class Path list.

ColdFusion MX 6.1 - J2EE Configuration

Follow the instructions below to install the hot fix for ColdFusion MX 6.1 in the J2EE configuration with a J2EE server other than JRun:

  1. Download Download the hotfixes (ZIP, 29 KB). Apply both jar files into the cf_root/WEB-INF/lib directory.

  2. Change the Context Parameter cf.class.path
    in the Deployment Descriptor (cf_root/WEB-INF/web.xml)
    for the Web Application "Macromedia ColdFusion MX" (cfusion.war)

    from:
    ./WEB-INF/cfusion/lib/cfusion.jar

    to:
    ./WEB-INF/lib/hf60679_611.jar, ./WEB-INF/lib/hf61098_611.jar,./WEB-INF/cfusion/lib/cfusion.jar

    • Note that the two paths in cf.class.path each start with a period and are separated by a comma.
    • Do not confuse ./WEB-INF/lib (which contains the hot fix jar file) with ./WEB-INF/cfusion/lib (which contains cfusion.jar).
  3. Stop and restart the J2EE server for changes to take effect.
  4. Examine the ColdFusion MX Administrator System Information page and confirm that hf60679_611.jar and hf61098_611.jar show in the Java Class Path list.
  5. Repeat steps for each deployed instance of ColdFusion.

About changing the Deployment Descriptor

  • Deployment Descriptor Context Parameters can be changed using the J2EE Administrator Control Panel (WebLogic and JRun) or by using the Application Assembly Tool (Websphere). If your J2EE server does not have such a tool, you must make sure that the Context Parameter change is made for all deployed instances of ColdFusion. It may be necessary to un-deploy CFMX, make the change, then re-deploy CFMX. See your J2EE documentation for other methods.
  • Be sure to Persist (WebLogic) or Save (Websphere) your changes after you change the value for cf.class.path.
  • You will usually need to stop and restart your J2EE server to make these changes effective.

NOTE: Back up your existing files before making changes. As always, test the changes in a non-production environment before applying the changes to production servers.

Acknowledgements

Adobe would like to thank the following individuals  for reporting the vulnerabilities listed in this bulletin and for working with us to help protect our customers' security.

  • Russ Michaels - JRun Clustered Sandbox Security Vulnerability.
  • Mike Nicholls - CFMAIL injection Vulnerability

Revisions

December 15, 2005 — Bulletin first created.

Reporting Security Issues

Adobe is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Adobe product, please send an email to PSIRT@adobe.com. We will work to appropriately address and communicate the issue.

Receiving Security Bulletins

When Adobe becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Adobe customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.

For additional information on security issues at Adobe, please visit: http://www.macromedia.com/security.

ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY ADOBE IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.

IN NO EVENT SHALL ADOBE, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADOBE, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.

Adobe reserves the right, from time to time, to update the information in this document with current information.