ColdFusion Muse

Adobe Coldfusion Vulnerability - CVE-2019-7838, CVE-2019-7839, CVE-2019-7840/ APSB19-27

DataBank has issued a Security Bulletin to all of their ColdFusion clients about the recent Adobe ColdFusion Vulnerability. Databank has partnered with CF Webtools to do the patching for all of their ColdFusion client's servers.

CF Webtools is a full service ColdFusion consulting company provided high quality development services and specializing in the ColdFusion stack. If it has to do with ColdFusion we will be able to help!

Both CF Webtools and DataBank are highly engaged in helping their customers maintain secure environments. Patching and regular maintenance are part of that process. If you haven't yet patched your server – whether you host with a high quality provider like DataBank or host it yourself – give us a call at (402) 408-3733 and we will take the worry out of ColdFusion security.

  • Share:

ColdFusion and Java 8 and Java 11 Updates

Wil Genovese March 8, 2019 4:29 PM Java, ColdFusion, Coldfusion Security, Security Comments (3)

As many of you are aware Oracle has changed their licensing for Java 1.8 and making it a pay to play for all commercial purposes. Here's a link to the licensing announcement. I'm not a lawyer and I'm not going to pretend that I understand these licensing agreements. But Oracle and Adobe (or their lawyers I presume) do understand these and as such there are changes to note. On January 24th Adobe announced that Adobe will maintain support. via a Long-Term Support Agreement with Oracle, for Java 8 and Java 11. Thank you Adobe!

I have questions as I'm sure everyone else does. I've been asking representatives at Adobe these questions.

What does this mean for us?
ColdFusion Server runs on Java from Oracle, and as such the new Oracle license affects all of our ColdFusion servers. To this point Adobe has secured licensing from Oracle that allows all ColdFusion Server owners continue running Java. It is very important to note that you now need to download Java from Adobe and NOT Oracle. Get your Adobe Licensed Oracle Java downloads HERE!

Is the Java version from Adobe Different that the same version from Oracle?
Great Question and I asked Adobe about this. Here is the answer "Wil, installers are same but license attached to them are different and this is for both Java 8 and 11".

What about my existing ColdFusion Servers?
Another great question! There are tens of thousands (or more) ColdFusion servers running and the vast majority of them are running on Java from Oracle. I know that the CF Webtools Operations Group maintains a very large number of servers for a large number of clients. Over time we have been upgrading the Java version on the servers to keep up with the security updates from Oracle. This means that most if not all of these servers are on Oracle Java from Oracle and not from Adobe. What do we have to do to remain compliant? I really hope we do not have to visit all of these servers and replace the Java with the one from Adobe simply because there is a different license agreement attached. I have submitted this question to Adobe and I'm awaiting anxiously for the answer. What I do know is that all servers that we need to update are going to get the Adobe Licensed version of Oracle Java to stay safe.

I received an answer today from Adobe on this.

Wil, to answer your question, if the JDK/JRE were downloaded before Oracle came up with Licensing change, it should not be an issue. Otherwise we recommend using the Adobe provided download as soon as possible, although we don't see a deadline around this.
This means that all the servers that I have recently updated will need to be re-updated with the Java from Adobe that has a different license agreement.

What about my New ColdFusion Servers?
This question has a simple answer. To install a new ColdFusion Server you need to use the ColdFusion installer from Adobe which comes with an Adobe licensed version of Oracle Java. If you want to use a newer version of Oracle Java then you need to download the Adobe Licensed vision of Oracle Java from Adobe. Download Here!

Do I have to use Oracle Java?
Awesome question and the answer is yes, no, maybe. There is OpenJDK that may work just fine to run ColdFusion servers. There is also a new player in the Java game and that is Amazon. "Amazon Corretto is a no-cost, multiplatform, production-ready distribution of the Open Java Development Kit (OpenJDK)." Currently their version 8 is production ready and they version 11 is in the Release Candidate stage. I have run ColdFusion 11 an dColdFusion 2016 on Amazon Corretto 8 and it ran fine for the very limited testing that I did. For now there isn't official support from Adobe for these two Java versions.

As I get more information from Adobe I will provide updates above. I'm sure there will be more questions that people will want answered.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

  • Share:

Converting Fusebox 2 to FW1 - Creating Scaffolding

Mark Kruger February 28, 2019 3:19 PM ColdFusion, Coldfusion Tips and Techniques Comments (0)

A quick Muse post with a bit of code. I know I know it's been a while and my coding has suffered. Still, some of you may find this useful.

I'm converting a Fusebox 2 application to FW1 and I wrote a simple script to automate some of the shell files I need. FW1 uses a URL convention that looks similar to Fuesbox. In Fusebox you have a 2 part URL param that dictates what your code is supposed to do. For example, fuseaction=reports.users would logically be a "circuit" called "reports" - think of it as collection of code or an application within a suite of applications. The second part of the fuseaction dictates which report exactly is supposed to be run.

FW1 is not dissimilar to this approach although it tends to introduce complexity for complexity sake at times (don't @ me). In FW1 an "action" parameter dictates which controller to run which in turn calls services and views as needed to set up a page or action. So FW1 may have action=reports.users - it looks quite familiar.

Since my Fusebox application is well organized I created a script that builds off the circuit and creates the necessary FW1 files. For each circuit I am going to create:

  • circuitName.cfc in the FW1 /controllers folder.
  • circuitName.cfc in the FW1 /model/services folder.
  • circuitName.cfc in the FW1 /model/DAO folder.
  • A folder named for the circuit in the FW1 /views folder with a placeholder file within (default.cfm) for my eventual content.

The script is pretty easy and it's designed to be run within the fusebox application where the FW1 application is accessable via file operations. First some setup:

<!--- MAK: location of my F1 files. --->
<cfset targetFW1 = "E:\eclipse-ws\new-fw1\trunk\">

<!--- MAK: Set up our target Dirs for FW1. --->
<cfset controllerDir = targetFW1 & "controllers\">
<cfset serviceDir = targetFW1 & "model\services\">
<cfset DAODir = targetFW1 & "model\DAO\">
<cfset viewDir = targetFW1 & "views\">

Next I created some placeholder files for controller, services and DAO. I'm going to read those files into variables.

<cffile action="read" file="#templateDir#dao.txt" variable="daoContent">
<cffile action="read" file="#templateDir#service.txt" variable="servicesContent">
<cffile action="read" file="#templateDir#controller.txt" variable="controllerContent">
Then I'm going to use my Fusebox applications structure called "Fusebox.circuits" and loop through it taking action on my plan.
<!--- MAK: loop through them and check them out. --->
<cfloop collection="#fusebox.circuits#" item="circ">
    
    <!--- MAK: Does the controller exist? --->
    <cfif NOT fileExists(controllerDir & circ & ".cfc")>
        <cffile action="write" file="#controllerDir##lcase(circ)#.cfc" output="#controllerContent#">
    </cfif>
    <!--- MAK: Does the services file exist? --->
    <cfif NOT fileExists(serviceDir & circ & ".cfc")>
        <cffile action="write" file="#serviceDir##lcase(circ)#.cfc" output="#servicesContent#">
    </cfif>
    <!--- MAK: Does the DAO file exist? --->
    <cfif NOT fileExists(DAODir & circ & ".cfc")>
        <cffile action="write" file="#DAODir##lcase(circ)#DAO.cfc" output="#daoContent#">
    </cfif>
    <!--- MAK: Creat the Directory in the view along with a default.cfm --->
    <cfif NOT directoryExists(viewDir & lcase(circ))>
        <cfdirectory action="create" directory="#viewDir##lcase(circ)#">
        <cffile action="write" file="#viewDir##lcase(circ)#\default.cfm" output="<h4>Hello World</h4>">
    </cfif>
</cfloop>

That's it. The end result is matching DAO, Controller and service files and view folders. Of course I may delete some of them or merge or whatever as my FW1 application takes shape, but having a matching convention with Fusebox let's me examine code from one into the other without a lot of fuss.

Follow Up

I created a script that handles the "second" part of fuseaction and places an CFM in the views folder as a placeholder. Basically "reports.users" should result in a /views/reports/users.cfm file containing HTML. This is where the eventual display code will be housed.

  • Share:

It's Up To Us To Stop Hackers

Wil Genovese February 20, 2019 6:20 PM ColdFusion, Coldfusion Security, Security Comments (1)

The first month of 2019 has passed and it was full of year end wrap up articles about anything and everything from 2018. Most were fluff articles on pop culture and such. What I found most interesting were the articles that quantified the past year of hacking and security breaches. According to NBC News, Hackers stole nearly half a billion personal records in 2018. There were fewer breaches, but the breaches were bigger and worse and more data than ever was stolen. Crypto-miners have improved as well and not in a good way. Previously I wrote about Cryptojacking and Hacking for Bitcoins. These are malware attacks where hackers install crypto-miners on servers they have compromised. The Crypto-miners use your CPUs to make money for themselves. Hackers have taken this malware to a new level of deviousness. The malware can now target and remove cloud security products as reported here and here.

It's been a banner year for the hackers.

Read More
  • Share:

ColdFusion Bug Introduced In Newest Update

Wil Genovese February 13, 2019 7:27 PM ColdFusion, Coldfusion Security Comments (3)

UPDATE: Adobe has released updates for the last update.
  • ColdFusion 11 Update 17 was released that supersedes Update 16.
  • ColdFusion 2016 Update 9 that supersedes Update 8.
Many of us have been testing these new updates including myself and so far they look good. We have not heard any news on any additional updates for ColdFusion 2018

alert everyone that there is a critical bug that was introduced with yesterdays updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Adobe is very actively working on a resolution. The bug is simply this, in cfscript queryExecute() is broken. This is the bug report.

Here is an example of what is no longer working. Example one is a cfscript based CFC file.

component output="false"
{
    public query function getRoles() {
        var userRoles ='';
        var sql = "SELECT roleId, roleName FROM userRole ORDER BY roleID";
        userRoles = queryExecute(sql);
        return userRoles;
    }
}

Example two is a cfscript block in a CFML file.

<cfscript>
userRoles = '';
sql = "SELECT roleId, roleName FROM userRole ORDER BY roleID";
userRoles = queryExecute(sql);

writeDump(userRoles);
</cfscript>

The code causes a Java error at the queryExecute() statement. Many of us are working with Adobe to provide test cases, stack traces, and testing hot fixes in order to get this resolved as fast as possible. Until there is a fix, if your application is using cfscript based queries, you will want to hold off on the update.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

  • Share:

New ColdFusion 2018 and ColdFusion 2016 Updates and Patches

Wil Genovese February 12, 2019 3:43 PM ColdFusion, Coldfusion Security Comments (2)

Adobe just released updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Please note that this is most likely the last update that ColdFusion 11 will receive due to it's core support end of life is coming up in April of 2019.

Some New Features

  • This update includes adding support for Java 11 to ColdFusion 2018 and ColdFusion 2016. ColdFusion 11 did NOT get this update most likely due to ColdFusion 11 nearing end of life.
  • ColdFusion 2018: Server Auto-lockdown includes a new installer for Mac OS.
  • ColdFusion 2018 and ColdFusion 2016: Updated the following OEMs:
    1. Jetty 9.4.12
    2. ExtJS 6.6
    3. JPedal 8.4.31
  • ColdFusion 2018 and ColdFusion 2016: You can use cfloop as script for arrays, lists, structs, or queries.
  • ColdFusion 2018: New platform support matrix for the following:

Adobe has updated more features for ColdFusion 2018 and ColdFusion 2016 including new mobile updates and Performance Monitor Updates. It's time to update your servers.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

  • Share:

Using CDN for Entire Website and Country Blocking - Part 3

This is Part 3 in a short series of articles about blocking entire countries from a website. Parts one and two cover CloudFlare and CloudFront.

CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.

We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In my previous two articles I wrote about using CloudFlare and AWS CloudFront. In this article I'm writing about using a slightly better hammer in the Whack-A-Mole method to block entire countries. This is one of the simplest but also least effective methods.

The option many of us have traditionally done is blocking problematic IP's on a case by case basis and in extreme cases blocking entire IP ranges. I've often referred to this as the Whack-A-Mole method. It's reactive and not proactive. A real hacker would not use their own personal IP and there is no guarantee that the IP will always remain with an unscrupulous user. Normally I do not block an IP because bad stuff happened from that IP once. However, I have noticed the same IP or IP ranges launching attacks on multiple unrelated, hosted at different locations, and different client's servers. That's when I start pounding the IP with the ol' Ban Hammer! Also, blocking and entire country with this method would mean being able to know all the possible IP addresses or address blocks assigned to a particular country. This is knowable!

I did some research on this and found a few very helpful resources. Resources like this http://ipdeny.com/ipblocks/ and this https://www.sitepoint.com/how-to-block-entire-countries-from-accessing-website/. These sites keep an updated list of IP addresses assigned to every country in the world. These are made available in the form of individual text files per country. And in the case of the SitePoint page, you can download a pre-scripted config file for many versions of web servers and firewalls. Hammer Time!

In the case of the country our client wants to block there are over 130 IP entries. These are in the form of CIDR IP ranges. This is the good news. The harder part here is that means there would have to be 130 plus entries manually added into IIS or a firewall. And this is for a smaller country. Larger countries, including countries that are known for hacking, have many thousands of CIDR IP ranges. But at least I can download the scripts for Apache and IIS from the SitePoint page and paste them into the respective config files.

What are the downsides to this method? First off I do not know if there would be any performance hit to IIS or Apache if we were to start entering thousands of IP restrictions. I do know that AWS restricts Network ACL's to an absolute max of 40 rules in their VPC's due to "performance issues" if more were added. We're still whacking at moles. IP assignments for countries can change thus you would need to update your static list of IP bans in your web server.

This is an example of how Apache 2.4 is configured.

<RequireAll>
Require all granted
Require not ip 5.11.40.0/21
Require not ip 5.34.160.0/21
Require not ip 5.43.192.0/19
Require not ip 5.102.96.0/19
.....
Require not ip 217.78.48.0/20
</RequireAll>

This is an example of how the IIS XML web.config is configured. The CIRD notation needs to be converted to IP and network mask format.

<?xml version="1.0"?>
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="true">
<clear/>
<add ipAddress="5.11.40.0" subnetMask="255.255.248.0"/>
<add ipAddress="5.34.160.0" subnetMask="255.255.248.0"/>
<add ipAddress="5.43.192.0" subnetMask="255.255.224.0"/>
<add ipAddress="5.102.96.0" subnetMask="255.255.224.0"/>
.....
<add ipAddress="217.78.48.0" subnetMask="255.255.240.0"/>
</ipSecurity>
</security>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>

In conclusion each option; CloudFlare, CloudFront, and IP Banning, each have their benefits and costs. CloudFront was the easiest of the three to setup and if the downsides of the IP address masking isn't an issue then it is likely the most viable solution. The AWS CloudFront solution may be best if you are already on AWS and you have an understanding of AWS Solutions Architecting. Both CDN options have country restrictions (and rate limiting) that will help in preventing potential credit card scammers from misusing your shopping carts. IP Banning is simplistic, it has no additional dollar costs. But it may be a performance hit to your web server if you have a very large number of IP restrictions. You may also have to update the IP lists if IP assignments to a country change. It's also worth noting that all methods can be bypassed via proxies.

CF Webtools is an Amazon Web Services Partner. Our Operations Group can build, manage, and maintain your AWS services. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

  • Share:

Using CDN for Entire Website and Country Blocking - Part 2

This is Part 2 in a short series of articles about blocking entire countries from a website. See Part 1.

CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.

We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In this article I'm writing about using Amazon Web Services CloudFront to block entire countries.

Amazon AWS CloudFront
AWS CloudFront does offer country blocking. I thought this would be an easy setup, but it isn't. When I tried to setup AWS CloudFront to 'front' an entire website I found there are many pieces that needed to be in place in order for CloudFront to handle the entire website.

Route 53 is needed or any other DNS that allows an ALIAS record for the Zone Apex record. This is because the Zone Apex record (root record) will be set to the URL provided by CloudFront and not an IP address.

Elastic Load Balancing is needed. The CloudFront origin (EC2 server) needs to be behind an TCP Elastic Load balancer. If there is only one site then the ELB target can be the instance itself. If the EC2 instance hosts multiple different sites, then we need to add multiple internal IP addresses to the instance and configure the origin site to be on it's own IP. Then the ELB should be configured to that internal IP address and not instance. If you are passing host headers in the CloudFront 'Behavior' section then you can have a single IP on the web server with multiple sites per usual for virtual name hosting. You have to setup the TCP ELB as TCP port 80 passthrough in order to pass the original IP addresses to the web server.

AWS Certificate Manager is needed to create a new free SSL for the domain name being setup in CloudFront. (I say it's needed because all sites should be using TLS protocols these days.) I found a wild card certificate works well.

Then lastly AWS CloudFront itself can be setup. The settings are a bit tricky. The Origin will be the ELB which will then pass requests to the EC2 instance. If you want or need forms to be posted to the website then you need to select "GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE" option for Allowed HTTP Methods. If you need to allow logins then you have to choose "All" for Forward Cookies.

There are costs to each part. Route 53 charges by zone and number of requests. Elastic Load Balancing charges by the hour and by data transfer amounts. Then Cloud Front charges by data transfer amount.

There are downsides to this method as well. In addition to the AWS method being harder and more complex to setup there are more costs involved. I can pass the original requesting IP address through to the web server, it still comes through in the X-Forwarded-For custom header. In Apache it's easy to globally capture and place this value into log files or the CGI scope. IIS does not allow this to be done at a global level meaning each IIS site must be configured for the custom headers. Additionally, you may need to custom code the web application to read X-Forwarded-For no matter which web server you are using.

After you have all of that setup, configured, and working you can now start blocking countries. This is done in the AWS CloudFront Restrictions section. You can add a Geo-Restriction blacklist or whitelist by country.

Part 3 will cover using IIS and Apache and a slightly better hammer in the Whack-A-Mole method.

CF Webtools is an Amazon Web Services Partner. Our Operations Group can build, manage, and maintain your AWS services. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.

  • Share: