April 17, 2013

Posted in:

ColdFusion Administrator Security Update APSB13-10

A new ColdFusion exploit has been discovered where a vulnerability can be exploited to allow an attacker to impersonate an authenticated user. In the past months, Edge Web Hosting has locked down all CF administrator instances by IP address. While this is still in place, we still recommend applying the patch for ColdFusion 9 and ColdFusion 10. For ColdFusion 8 customers, Adobe has marked CF 8 as end of life and a patch is not available for this version. It is not currently know if this vulnerability affects ColdFusion 8 according to the bulletin published by Adobe: http://www.adobe.com/support/security/bulletins/apsb13-10.html. Securing ColdFusion admin via IP address is still recommended for those customers with ColdFusion 8.

We are recommending all customers read the Adobe bulletin and secure machines if possible. Customers should follow the steps listed below. The patch will require a ColdFusion restart and downtime can range from 5-10 minutes based on the server for ColdFusion services

Any customers needing assistance with this security patch should contact Support by submitting a ticket through the customer portal at https://support.edgehosting.com.

Go back