ColdFusion and ColdFusion Builder source code have been stolen

by kai on 05/10/2013



So, there we go. Adobe got hacked and according to Krebs on Security and Adobe themselves, among other things, the source code of ColdFusion, ColdFusion Builder and other Adobe products has been stolen and shown up on hacker sites.

This is obviously an issue. I don’t want to comment on how it might or might not have happened and what the implications are for Adobe Acrobat (Reader) users. Let’s have a think about Adobe ColdFusion, a hosted server product.

First of all, according to my knowledge, it’s not clear yet which versions of Adobe ColdFusion’s source code has been stolen/leaked. It might be CF 4 or 5 and therefore less of a worry. More likely however is that it’s a or multiple recent versions of ColdFusion. What does that mean for both Adobe and you, your users and customers? I’ll try to look at the problems this development is most likely going to cause from a few different angles. Your mileage might vary.

  1. Hackers have the source code of a server product that’s being hosted on thousands of web and application servers all over the world. A major user for instance is the US Federal Government and currently the European Union (even though there are strong movements towards changing to Railo people within EU organisations looking into moving towards Railo in the latter).
  2. ColdFusion 9 and 10 recently had a a reputation for being easily hackable due to some exploits that got not that well patched and even then the patches are notoriously difficult to apply for administrators. This has become much better with ColdFusion 10 though. There has been a whole series of hacks against hosting companies and users of CF servers.
  3. Take 1 and 2 and you can safely expect that there will be a bunch of new exploits coming along for CF users. This time about 10x worse because hackers have the actual source code.
  4. Some people argued on mailing lists or in blogs that hackers could just decompile the Java bytecode CF is delivered through. That is true. However, if you HAD ever done that, you’d see that it’s much easier for a hacker (or anyone, really) to go through actual, probably commented, source code instead of auto-generated decompiled-from-a-bytecode-file source code.
  5. Trust: When one buys a commercial, closed source product, one puts a certain level of trust into the vendor of the product and its support. It’s implicit “security-by-keeping-the-source-code-in-a-vault”. I don’t want to discuss if that’s good or bad in the first place, but now that vault has been broken into. So – the people who know about bugs, security holes and other issues are not solely Adobe anymore, but Adobe and the Hackers. Can I safely trust an CF installation from now on? Can people safely recommend customers to install CF? I struggle with that thought.
  6. Trust flow-on effects: I wonder how long it takes until organisations like PCI have issues with issuing CF-driven sites as PCI-compliant in an e-commerce context. A commercial application server of which the hacked source code is out in the wild – is that trustworthy?
  7. Some people argued recently that Railo’s and OpenBD’s source code are open and out there as well. Wouldn’t that be the same then? The short answer – no. Both Railo and OpenBD are open source. It’s intentionally opened. There’s a community, there’s transparency. If you don’t trust Railo, inspect the source code – that’s (among other things) why it’s out there.

What’s the way out here for Adobe? I honestly don’t know – but my gut feeling is that their only option would be to in some way open source the product for everyone while keeping commercial distribution rights (I assume they still try to make money from it). I’m at this stage not even sure if and how that’d be feasible. In the meantime – be aware of this situation and that there will be a sting a hacking attacks soon. It’s not a question of IF, but WHEN.

{ 3 comments… read them below or add one }

Adam Cameron October 5, 2013 at 11:52 pm

That’s a good, level-headed, matter-of-fact appraisal Kai: nice one.

Adobe need to come up with a position here, and let us know what they’re gonna do. As you say: trust has been dissolved here, so simply pretending it didn’t happen and hoping people forget once it goes off the media radar is not an approach they should – in the spirit of enterprise professionalism – consider here.

They need to square away with their legal team whatever they need to do to open source this lot, and do it.

I touched on this topic on my own blog yesterday: http://cfmlblog.adamcameron.me/2013/10/well-like-it-or-not-its-open-source-now.html, and one of the people reading it pointed out that both Atlassian and Unreal (ie: the game) have a paid-for open source model, which seems to work pretty well for both of them. Adobe should consider that route. It’s a win-win, really: they still get to charge for whatever they can position as being “value-added”, and as custodians of the project, but us poor saps out in the community will help them do their work.

Adobe can have a PR win out of this if they approach things the right way. However at the moment 2013 has been a bit of a PR disaster for them as far as CF goes.

Cheers for offering your thoughts on this subject, Kai.


Adam

Reply

Andy Allan October 7, 2013 at 9:02 pm

Unless you know something the rest of the world doesn’t, including folks working at the European Commission, there are currently NO plans for them to move to Railo.

In fact, most moves are for ColdFusion sites to be migrated to Drupal.

Reply

Kai October 7, 2013 at 11:38 pm

Just as a clarification – this particular comment was based on a conversation with someone working in the web space for the EU and this person was investigating a move towards Railo for their organisation. The wording “strong movements” was maybe not the best, I’ve corrected that now.

Reply

Cancel reply

Leave a Comment

Previous post:

Next post: