An update on HTTPOnly marked cookies in Railo 4.1

by kai 30/11/2013

In January this year, I wrote a blog post to advise people how to make the default installation of a Railo 4 server more secure. One of the elements was to make sure you’re using HttpOnly marked cookies for your session cookies (depending on your setup that might be JSESSIONID or CFID/CFTOKEN). In the blog […]

Read the full article →

Adobe ColdFusion and Railo users: be aware of the newest Apache Tomcat trojan/worm

by kai 27/11/2013

Symantec has recently discovered a trojan/worm-ish thing that threatens application servers running Apache Tomcat. It seems to follow the typical command & control pattern with control servers having been found in Taiwan and Luxembourg so far. This threat is using a very specific attack vector by trying to spread via the Apache Tomcat Managers and […]

Read the full article →

ColdFusion and ColdFusion Builder source code have been stolen

by kai 05/10/2013

So, there we go. Adobe got hacked and according to Krebs on Security and Adobe themselves, among other things, the source code of ColdFusion, ColdFusion Builder and other Adobe products has been stolen and shown up on hacker sites. This is obviously an issue. I don’t want to comment on how it might or might […]

Read the full article →

ColdFusion – just another security hole…

by kai 16/05/2013

It’s getting to the point where people who’re looking at this must be saying: “Man, this is getting really embarrassing for Adobe”. There’s another (unspecified) security hole that users were made aware of May 8, 2013. The patch was then announced for and released on May 14, 2013, for the days in-between there was only the recommendation […]

Read the full article →

Be aware: there’s another new security hotfix for Adobe ColdFusion 9 and 10

by kai 14/04/2013

Late last week, Adobe’s CF team has released another security hotfix for Adobe ColdFusion 9 and 10. You can find the security bulleting and the respective technote here: Security bulletin: Tech note: Installing it follows the common pattern of recent security hotfixes and updaters. And with me saying that it should be clear that it’s […]

Read the full article →

Railo and ColdFusion on Java 7: don’t forget the crypto extensions

by kai 02/04/2013

So – more on the whole Java 7 thing again. The other day I got an “Illegal key size or default parameters” error on one of my dev VMs. I was using the VM for quite a while and from what I could see the codebase had not changed significantly. Weird. All of a sudden […]

Read the full article →

Recent Adobe ColdFusion hotfixes

by kai 11/03/2013

A few days ago, Adobe released a set of hotfixes for the currently supported versions of ColdFusion (9 and 10). Those hotfixes cater for a variety of things, among others – support for Java 7. ColdFusion 9 and 9.0.1 Unfortunately things are not as easy as they could have been. On Feb 27, 2103 Adobe […]

Read the full article →

Aaaand… another JVM update…

by kai 10/03/2013

I thought it’d be over, but it turns out that I was wrong. Oracle has pushed out JDK/JRE 1.6.0_43 – their first (of maybe many) security bugfixes of Java 6 post-end-of-support. The new security baseline is now 1.6.0_43, check out the release notes and the relevant Security Alert document. From what I can see the patched […]

Read the full article →

Another Java security baseline update (ColdFusion, Railo and others)

by kai 22/02/2013

There’s just been another release of Java 6 that is relevant for the security of your ColdFusion or Railo servers (but also for anything and anyone else running a Java-based server or client product). After having pushed out Update 39 just recently, Oracle has released Java 6 Update 41 (also known as JDK 1.6.0_41) and […]

Read the full article →

Java | ColdFusion | Railo security update

by kai 05/02/2013

This is just a quick free-of-charge public service announcement that Oracle has released Java 6 Update 39. Why is this important for users of ColdFusion or Railo? A lot of people are running their Railo and ColdFusion servers on Java 6. Update 39 is a so called “update to the JRE Security Baseline of Java […]

Read the full article →