-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0006 Title: Multiple Vulnerabilities in Adobe ColdFusion [1] Version history: 9.01.2013 Initial publication Summary ======= Adobe has identified three vulnerabilities affecting ColdFusion for Windows, Macintosh and UNIX: CVE-2013-0625 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server. CVE-2013-0629 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user access to restricted directories. CVE-2013-0631 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could result in information disclosure from a compromised server. Vulnerable systems ================== ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX What can you do? ================ Adobe recommends ColdFusion customers take the following steps to mitigate these vulnerabilities: - - Configure a username and password for Remote Development Services (RDS). These credentials should be different from the Administrator account. After configuring the username and password, users should disable RDS. - - Disable external access to the following directories for all hosted sites: /CFIDE/administrator /CFIDE/adminapi /CFIDE/componentutils - - Remove any unknown or unnecessary ColdFusion components or templates from the CFIDE or webroot directories. - - Implement access control restrictions for the Administrator interface and internal applications via the Administrator Console (in ColdFusion version 10) or within your web server's access control mechanisms for versions 9.0.2 and below. - - Ensure your ColdFusion product has the latest hotfix applied. - - Refer to the ColdFusion 9 Lockdown Guide [2] and ColdFusion 10 Lockdown Guide [3] for security best practices and further information on these hardening techniques. What to tell your users? ======================== N/A. More information ================ [1] http://www.adobe.com/support/security/advisories/apsa13-01.html [2] http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf [3] http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/CF10%20Lockdown%20Guide.pdf Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQ7ZEnAAoJEPpzpNLI8SVoz4oQAJi1GdhKzuIYTvD4yE+BBRnr nfhB1hFd4ATU5wYzBHkIHdA1jecoRiiaoXorAw+Poo5mE78prYWa5BLkwAAr7Qvn gKsJ33WQmnPRjs9fddu1mb/38c+/YnYMDpDZDdr76ANZAw2h5Y/5aJe2XtgY5TXK KXaa82aSTtaLk6jxST6lrl5UwuqsSwhMzSVZSBU3Nx5YzteI98sObCwlbGWmc+GP WLJ7QCeXinxt0dCvc1zG7hdWsujWBVjmyyjtY/3vPUupiGewDNKJiyCAtgOfWNWM 5Y4xTDRJHFFsFX7w1UfV8Qqyit7Tlbzu8YIAsD9evh2msVLcSe3lLhvzZv45PQYC ib6yVNHgQA/412TsbtPZhGas2QNl1qDu1EVy+uzmDtCHczu9QSXhvTSvYxbVpcTS pKL+1ty6I77/Jg8tj8W1YF744uZ0nuqkGb84ZARLRn+UDupjr0GReVxhvdOpYMm1 2o3RyljFfic7iAZGCRgPPEEti7oZMc9H8hqqUIlayG0GrZ3DvnxBv8DRtbP5yZ9c j9lN3ugYANZutUInsiRZu609J9hlHWj4rg5qDgVOKQvSCaC+inoIontKZ9iV+meg Nva+sxrz0yNb6LiHj4veHVIbKuAOgBb9sn5JivG/XLEvSmmHxJfqTxvKocnQqmQM YGZ3gyXwVWcr2nD48WnL =5Q2q -----END PGP SIGNATURE-----