Operating System:

[WIN][LINUX][HP-UX][Solaris]

Published:

11 July 2001

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2001.286 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

     ESB-2001.286 -- Macromedia Product Security Bulletin (MPSB01-07)
                     ColdFusion Server security issues
                               12 July 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                ColdFusion Server 2.x
                        ColdFusion Server 3.x
                        ColdFusion Server 4.x
Vendor:                 Macromedia
                        Allaire
Operating System:       Windows
                        Solaris
                        Linux
                        HP-UX
Impact:                 Access Privileged Data
                        Modify Arbitrary Files
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

Macromedia Product Security Bulletin (MPSB01-07) 
Macromedia releases patch that addresses ColdFusion Server security issues. 

Originally Posted: July 11, 2001 

Summary

Macromedia has released a patch that addresses two ColdFusion Server security issues which
affect all server versions from 2.0 through 4.5.1 SP2 (all editions). The security issues were
discovered through a routine internal security audit. The security issues potentially expose read
and delete access to files on machines running ColdFusion Server as well as overwriting
ColdFusion Server templates with zero byte files. Customers are strongly encouraged to
upgrade their servers to ColdFusion Server 5 or install the patch as soon as possible. The
security issues DO NOT affect ColdFusion Server 5. 

Issue

As part of a routine internal security audit of ColdFusion Server, Macromedia discovered two
potential security issues. One issue could allow unauthorized read and delete access to files on a
machine running ColdFusion Server. The other issue could allow ColdFusion Server templates
to be overwritten with a zero byte file of the same name. The issues affect ColdFusion Server
versions 2.0 through 4.5.1 SP2 (all editions). The security issues DO NOT affect ColdFusion
Server 5. 

Macromedia has released a patch that addresses the issues on the versions listed below. The
patch has been thoroughly tested for stability. Customers should expect a 3 - 8% performance
degradation as a result of installing the patch. Macromedia strongly recommends that
customers install the patch on all production servers or upgrade to ColdFusion Server 5. 

Affected Software Versions 

    ColdFusion Server 2.x, 3.x, 4.x 

What Macromedia Is Doing

Macromedia has notified customers of the security issues through standard communication
channels and released a patch that addresses the issues. The patch is now available for
download for the following server versions: 3.1.1, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.1 SP1, 4.5.1 SP2.
The patches apply to both English language and localized editions (French, German, and
Japanese). 

Download - MPSB01-07 ColdFusion Security Patch (Windows Editions) 
http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107Windows.exe

Download - MPSB01-07 ColdFusion Security Patch (Solaris Editions) 
http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107Solaris.tar.gz

Download - MPSB01-07 ColdFusion Security Patch (Linux Editions) 
http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107Linux.tar.gz

Download - MPSB01-07 ColdFusion Security Patch (HP-UX Editions) 
http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107HPUX.tar.gz

To install this patch for Windows, download and run the executable file. NOTE: Customers
patching ColdFusion 4.x, who are using MS IIS first need to install the MSVCRT 6.0 runtime
libraries, available here.

To install this patch for Solaris, Linux or HP-UX, download the appropriate file, and review the
readme.txt file before installing.

Click here to access a more detailed FAQ 

Customers running ColdFusion Server versions 2.0 or 3.0 are strongly encouraged to upgrade
their servers to a more recent release. No patch will be made available for versions 2.0 or 3.0. 

Customers running Versions 3.1.1, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.1 SP1, or 4.5.1 SP2, are strongly
encouraged to install the patch immediately on all production servers. 

(Note: Macromedia's standard support policy is one release back. But for these particular
issues, Macromedia has released patches three releases back. To stay current with the latest
features, enhancements, and updates, customers are encouraged to move to the most recent
release of the server.) 

Revisions

July 11, 2001 - Bulletin first released. 

Reporting Security Issues

Macromedia is committed to addressing security issues and providing customers with the
information on how they can protect themselves. If you identify what you believe may be a
security issue with a Macromedia product, please send an email to secure@allaire.com. We will
work to appropriately address and communicate the issue. 

Receiving Security Bulletins

When Macromedia becomes aware of a security issue that we believe significantly affects our
products or customers, we will notify customers when appropriate. Typically this notification will
be in the form of a security bulletin explaining the issue and the response. Macromedia
customers who would like to receive notification of new security bulletins when they are
released can sign up for our security notification service. 

For additional information on security issues at Macromedia, please visit:
http://www.allaire.com/security. 

THE INFORMATION PROVIDED BY MACROMEDIA IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY
OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR
IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET
ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE
ABOVE EXCLUSION MAY NOT APPLY TO YOU.

IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE,
COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES,
BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY,
TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS
SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
(USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO
YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE. 

Macromedia reserves the right, from time to time, to update the information in this document
with current information.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBO03C7Sh9+71yA2DNAQFuLQP+LVzzE71lNClM1MaMvIJ0lTFlg5R8QG8h
e/UjYSD2i+wYyUDkFkDUaW38oeb0jm1ub4MMQsS4eArEKnL1nDZbylgCplzVc0G6
VFzaSftswCygpmzA/MMHdDVtva2HPAR5VESzj7B+uw8G1KvIY4BNQST4RH8V+eSI
sI3MPe36btg=
=q2ac
-----END PGP SIGNATURE-----