Ajas, I'm afraid the answer is not as obvious as one may hope. And you all know is often the case, I also don't think it can be answered in a tweet-sized reply. For those interested, read on. :-)
First, let me note that the jar filename below you refer to below is for 9.0 (not 9.0.1 or 9.0.2). Are you really still running only on 9.0? Of course, I know that many are, because they just never got around to adding the free 9.0.1 updater a couple years ago. But for anyone who has, or who installed the new 9.0.2 after May, they would want to be careful to get the correct hotfix file. Second, besides the hotfix jar, this hotfix (like nearly all the security hotfixes and cumulative hotfixes) also entails updating the CFIDE directory. So first, again, you'd have a potential problem if you used the CFIDE for the 9.0 hotfix to update your 9.0.1 or 9.0.2 deployment (if that's what you have), as they may not be identical. (To any who would complain, "see, this is the madness with the CF hotfix process", I'd say yes, that was so at least until 10, when they added the new automated hotfix mechanism that takes care of all this for you.) Third, even if one may feel they applied the right things in the right places, there's sadly no means provided by Adobe to "verify" if you're protected. And if you think about it, it's an unfortunate tension. While providing that would help those who did apply the fix, the converse is that the info could now be used by bad guys both to identify what servers WERE still vulnerable and worse (for those who didn't already know what the previous hack's vulnerability was) they would now have the information needed to perpetrate the exploit. So I'd assert that the first and best thing one can do to avoid the exploit is to protect unfettered public access to the folders /CFIDE/adminapi, /CFIDE/administrator, and /CFIDE/componentutils. You can lock down all access to them in all sites, for instance, and then open it up only in the one site where you think it should be used, whether locking it by ip address or using additional web server authentication. I explain this in my part 2 blog entry and in which I offer links for how to do that in different web servers. Beyond that, while I said that Adobe offers no way to confirm the fix is applied, I'll note that Pete Freitag's nifty free CF security checking service, HackMyCF.com, does now check for that vulnerability (by trying to call into your server), though note that it only checks the domains you tell it to check. If you have more than one web site on the server (as defined in IIS or Apache), you want to test it also. And even if you have a "default site" where the Admin is located, which you think is "only accessible locally", note that if it's set (in the web server) to handle "all ip addresses" or "all unassigned", then that site can potentially in fact be accessed from the outside if someone knows (or discovers) a working public IP address on the server, so that's why I recommend adding the additional web server security I mention above, even for a site you think "is not open to access from the outside" because you access it using localhost or 127.0.0.1. Anyway, back to Pete's tool, I'll note that if you get the commercial version, that one has you put a CFC on your server, which he can then call remotely which can explore things more closely, including confirming which specific hotfixes you do or don't have in place, etc. Hope that's helpful. /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Ajas Mohammed Sent: Thursday, January 17, 2013 11:52 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] New CF Vulnerability - Check your servers By the way, what is the best way to confirm that the security patch has been applied successfully? Personally, I could only tell based of 1) The CF Admin information page says Update Level /C:/ColdFusion9/lib/updates/hf900-00009.jar 2) On my local CF install Windows 7, the timestamps on folders changed as I followed the steps. I noticed though on our QA servers( Windows 2003) the folder timestamps were weird as in they didn't show modification datetime as the changes were being applied which raised my curiosity. So other than these 2 things, is there another way to verify that the patching process was successful? <Ajas Mohammed /> iUseDropbox( <http://db.tt/63Lvone9> http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Wed, Jan 16, 2013 at 9:39 AM, Ajas Mohammed <ajash...@gmail.com> wrote: Thanks Charlie, Cameron for keeping us updated with the latest. Charlie, thanks for those blog entries. Really appreciate all your help. <Ajas Mohammed /> iUseDropbox( <http://db.tt/63Lvone9> http://db.tt/63Lvone9) http://ajashadi.blogspot.com We cannot become what we need to be, remaining what we are. No matter what, find a way. Because thats what winners do. You can't improve what you don't measure. Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives. On Wed, Jan 16, 2013 at 12:56 AM, Charlie Arehart <char...@carehart.org> wrote: Ok, call off the alarm (those of you on 9.0.2). It turns out that the confusion about the new hotfix (regarding 9.0.2) was just a mistake in the technote. All is as it should be, and everyone ought to apply this hotfix ASAP. :-) BTW, since writing my comment earlier, I have come out with a part 3 entry, on the hotfix and more. http://www.carehart.org/blog/client/index.cfm/2013/1/15/Part3_serious_securi ty_threat Still planning a part 4, with post mortem and more. A bit busy now to commit to when. :-) /charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Charlie Arehart Sent: Tuesday, January 15, 2013 3:44 PM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] New CF Vulnerability - Check your servers Thanks for sharing it here, Cam. Do beware, though: for those on 9.0.2, there's a glitch in the hotfix (a missing web-inf.zip within the cf902.zip). I've added a comment on the blog entry that points to that (http://blogs.coldfusion.com/post.cfm/coldfusion-security-update-for-version -9-and-above), but obviously those who go straight to the technote wouldn't see that. Hopefully Adobe will fix this ASAP. To be clear, this warning is only for those on 9.0.2. Those on 9.0, 9.0.1, or 10 should absolutely proceed with the hotfix as provided. /charlie ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink <http://www.fusionlink.com> ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
