Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.286 -- Macromedia Product Security Bulletin (MPSB01-07) ColdFusion Server security issues 12 July 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ColdFusion Server 2.x ColdFusion Server 3.x ColdFusion Server 4.x Vendor: Macromedia Allaire Operating System: Windows Solaris Linux HP-UX Impact: Access Privileged Data Modify Arbitrary Files Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- Macromedia Product Security Bulletin (MPSB01-07) Macromedia releases patch that addresses ColdFusion Server security issues. Originally Posted: July 11, 2001 Summary Macromedia has released a patch that addresses two ColdFusion Server security issues which affect all server versions from 2.0 through 4.5.1 SP2 (all editions). The security issues were discovered through a routine internal security audit. The security issues potentially expose read and delete access to files on machines running ColdFusion Server as well as overwriting ColdFusion Server templates with zero byte files. Customers are strongly encouraged to upgrade their servers to ColdFusion Server 5 or install the patch as soon as possible. The security issues DO NOT affect ColdFusion Server 5. Issue As part of a routine internal security audit of ColdFusion Server, Macromedia discovered two potential security issues. One issue could allow unauthorized read and delete access to files on a machine running ColdFusion Server. The other issue could allow ColdFusion Server templates to be overwritten with a zero byte file of the same name. The issues affect ColdFusion Server versions 2.0 through 4.5.1 SP2 (all editions). The security issues DO NOT affect ColdFusion Server 5. Macromedia has released a patch that addresses the issues on the versions listed below. The patch has been thoroughly tested for stability. Customers should expect a 3 - 8% performance degradation as a result of installing the patch. Macromedia strongly recommends that customers install the patch on all production servers or upgrade to ColdFusion Server 5. Affected Software Versions ColdFusion Server 2.x, 3.x, 4.x What Macromedia Is Doing Macromedia has notified customers of the security issues through standard communication channels and released a patch that addresses the issues. The patch is now available for download for the following server versions: 3.1.1, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.1 SP1, 4.5.1 SP2. The patches apply to both English language and localized editions (French, German, and Japanese). Download - MPSB01-07 ColdFusion Security Patch (Windows Editions) http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107Windows.exe Download - MPSB01-07 ColdFusion Security Patch (Solaris Editions) http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107Solaris.tar.gz Download - MPSB01-07 ColdFusion Security Patch (Linux Editions) http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107Linux.tar.gz Download - MPSB01-07 ColdFusion Security Patch (HP-UX Editions) http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107HPUX.tar.gz To install this patch for Windows, download and run the executable file. NOTE: Customers patching ColdFusion 4.x, who are using MS IIS first need to install the MSVCRT 6.0 runtime libraries, available here. To install this patch for Solaris, Linux or HP-UX, download the appropriate file, and review the readme.txt file before installing. Click here to access a more detailed FAQ Customers running ColdFusion Server versions 2.0 or 3.0 are strongly encouraged to upgrade their servers to a more recent release. No patch will be made available for versions 2.0 or 3.0. Customers running Versions 3.1.1, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.1 SP1, or 4.5.1 SP2, are strongly encouraged to install the patch immediately on all production servers. (Note: Macromedia's standard support policy is one release back. But for these particular issues, Macromedia has released patches three releases back. To stay current with the latest features, enhancements, and updates, customers are encouraged to move to the most recent release of the server.) Revisions July 11, 2001 - Bulletin first released. Reporting Security Issues Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Macromedia customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Macromedia, please visit: http://www.allaire.com/security. THE INFORMATION PROVIDED BY MACROMEDIA IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE. Macromedia reserves the right, from time to time, to update the information in this document with current information. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBO03C7Sh9+71yA2DNAQFuLQP+LVzzE71lNClM1MaMvIJ0lTFlg5R8QG8h e/UjYSD2i+wYyUDkFkDUaW38oeb0jm1ub4MMQsS4eArEKnL1nDZbylgCplzVc0G6 VFzaSftswCygpmzA/MMHdDVtva2HPAR5VESzj7B+uw8G1KvIY4BNQST4RH8V+eSI sI3MPe36btg= =q2ac -----END PGP SIGNATURE-----