Adobe Product Security Incident Response Team (PSIRT) On ColdFusion And HeartBleed
The world is abuzz with the OpenSSL "heartbleed" bug and the ColdFusion community has also been going 'round about it too. Firstly, a server (like Apache, Nginx, Tomcat, etc) can be exploited by a client on a hackers machine requesting an SSL connection. In addition, a client (CURL, wget, CFHTTP, etc) can be exploited if connecting to a malicious SSL endpoint. So basically, the bug has the ability to flow both ways.
For most CF sites, they are using IIS, Apache, or Nginx to serve content so ColdFusion has no bearing on the vulnerability from that end. Any CFML application, however, can connect to a malicious SSL endpoint. Of course, it only matters if the OpenSSL library is specifically being used. Any other SSL implementation is safe.
To date, neither Adobe or Railo have yet to make public announcements via security bulletins or their official blog.
UPDATE April 17: Railo responds here.
UPDATE April 18: Adobe responds here:
There have been a handful of less "official" conversations in mailing lists and Twitter. As best I can tell, neither Adobe ColdFusion or Railo use OpenSSL and therefore are safe. Of course, any other parts of your web stack (even bundled libraries) might use OpenSSL. Gert from Railo has promised a blog entry "soon" to address the issue regarding Railo. There has been some complaining about the lack of official word from Adobe, and my understanding is that the ColdFusion team's hands are tied by the Adobe PSIRT who are the only ones allowed to comment publicly on security matters.
The general consensus is they could certainly say something, even if it was simply, "Hey, we're looking into it and will get back to you soon". That as it is, I E-mailed Adobe's PSIRT myself and got a reply that seems as close to an official reply as they are willing to provide at this point though I'm unclear why they're talking about it one-on-one but refraining from public statements. For the sake of those who haven't E-mailed PSIRT, I will post their reply here for the benifit of the community until something official comes out. Also, for funsies, I'll post my original E-mail plus my followup. If I hear back again, I'll update this post.
From: Brad Wood
To: [email protected]
Date: Wed, Apr 16, 2014 at 5:45 AM
Subject: Adobe ColdFusion and Heartbleed
Dear Adobe PSIRT team,
I would like to encourage you to please make a public announcement regarding Adobe ColdFusion and if it is vulnerable to the latest OpenSSL "heartbleed" bug. This is a very significant bug that has people around the world scrambling to patch their software. Even if Adobe ColdFusion is not susceptible to the recent "heartbleed" bug I would strongly suggest making an announcement on your blog to state that or authorize the ColdFusion team to do so on their blog.Many people in the CF community have noticed the silence on this issue and an official announcement really needs to be made in order for your customers to feel safe and to verify with their employers that they have all the patches they need. Communication is very important and I hate to see the Adobe ColdFusion team getting beat up for not addressing this issue publicly on their blog. Please authorize them to make some kind of statement on this.Thanks!~Brad
From: [email protected]
To: Brad Wood
Date: Wed, Apr 16, 2014 at 1:39 PM
Subject: RE: Adobe ColdFusion and Heartbleed
Hello Brad,
Thank you for contacting us. We appreciate your feedback. Please note that ColdFusion does not use OpenSSL. However, customers who are using an external web server with their ColdFusion deployment (ex. Apache) should test for CVE-2014-0160. If affected, customers should follow the recommendations provided in the OpenSSL security advisory, available at https://www.openssl.org/news/
secadv_20140407.txt. Adobe also recommends consulting the ColdFusion lockdown guides for security best practices:
We hope this information is helpful. Please let us know if you have additional questions.
Thank you,
Adobe Product Security Incident Response Team
From: Brad Wood
To: [email protected]
Date: Wed, Apr 16, 2014 at 3:13 PM
Subject: Adobe ColdFusion and Heartbleed
Dear PSIRT Team,Thanks for the reply. I appreciate the links and concern. Let me be very clear though-- I am not asking about this for the sake of my servers, I am letting you know that Adobe needs to make a public official statement on the matter for the entire community to see. Even if your blog entry said nothing more than what you put in your E-mail reply that would be great-- but the community has noticed the lack of public response by Adobe to this matter and it's reflecting quite poorly on your PR.If the PSIRT team doesn't have time to make a quick announcement, please authorize the ColdFusion team to put out a blog post. This would do a lot for the community as silence breeds distrust and most every other major technology stack have already addressed their platform publicly-- even if just to say they are not vulnerable.Thanks!~Brad
UPDATE April 18:
From: Brad Wood
To: [email protected]
Date: Thu, Apr 17, 2014 at 9:50 PM
Subject: Adobe ColdFusion and Heartbleed
Dear PSIRT team,
Can you please respond to the comments on my blog made by a community member named "Aaron". He has listed several binaries that ship with ColdFusion that supposedly use OpenSSL. His comments can be found here:Also, if you haven't seen it-- here is the official response from the Railo team (a competitor of Adobe CF) which categorically addresses the uses of SSL inside Railo server.Thanks!~Brad
From: [email protected]
To: Brad Wood
Date: Fri, Apr 18, 2014 at 2:58 PM
Subject: Adobe ColdFusion and Heartbleed
Hi Brad,
Thanks to you and Aaron for bringing this to our attention. With your input, we started a deeper investigation of ColdFusion components. We have also clarified our blog post regarding OpenSSL in ColdFusion (http://blogs.adobe.com/psirt/?p=1085). Should additional information arise from our investigation we'll provide an update to our blog.
Thank you again for your help,
Adobe Product Security Incident Response Team
Adam Cameron
G'day mate: Cheers for a) following this up; b) sharing. All your points are well made.
Some people in the community don't quite seem to "get" that FUD spreads quickly in the face of lack of communications. So even if the message from Adobe ColdFusion / PSIRT is "duh, of course there's no problem", then that's fine. Or even "we're working on it: stay tuned" would be fine.
However for the sake of PR there should be some more official messaging other than some Twitter posts. Or maybe I'm being too traditional in thinking that Twitter is not the place for "official" comms for an enterprise product? Dunno.
Anyway, thanks for sharing the info here.
-- Adam
Aaron
Thanks for the post Brad.
I'll add to the FUD here - and directly contradict the "ColdFusion does not use OpenSSL"
ColdFusion 9 & 10 ship with OpenSSL binaries C:\ColdFusion10\cfusion\db\slserver54\bin\ssleay32.dll C:\ColdFusion10\cfusion\db\slserver54\bin\libeay32.dll
And thanks to Gerts Ralio post We know that C:\ColdFusion10\cfusion\lib\bcprov-jdk14-139.jar uses OpenSSL too
As Gert mentioned Tomcat can be built with OpenSSL support: https://wiki.apache.org/tomcat/Security/Heartbleed While it's unlikely the custom tomcat build that ships with CF uses it, it's still possible.
And for the CF9 people here is how to enable OpenSSL in JRun http://helpx.adobe.com/legacy/kb/ssl-jrun-web-server-connector.html To take away from the above FUD - The DDL's that ship with CF are older, unaffected versions. I don't know about the JAR, or where it's used, but that is probably safe
I hope the above is enough to prove that the tweets from the CF team and the advise from PSIRT are incorrect. Additionally there are configuration of JRun and tomcat that use OpenSSL.
In my mind I have always had major issues with how Adobe approches security for CF. There is such secrecy surrounding it that it makes my job as a CF Administrator incredibly difficult - There is never enough information released for me to be able to analysis if our production servers have been exploited. Microsoft takes the opposite approach, and their descriptions of the issue are very very clear.
Adobes handling of this issue is the final straw for me. When CF9 support ends (if it hasn't already) I'll be moving to Railo - I can simply no longer risk Adobes approach to security matters.
Brad Wood
Thanks for the additional info Aaron. I hope they are addressed by Adobe in a official response. I will contact Adobe PSIRT again and ask for clarification on your points.
Brad Wood
I updated the post with the last E-mail I received from Adobe PSIRT. Apparently they didn't know about the OpenSSL libraries that shipped with ColdFusion until Aaron pointed them out.
Adam Cameron
It's quite amusing(?) that the person clamouring for a response from Adobe ended up providing them with the relevant info so that their PSIRT advisory was actually accurate!
-- Adam
Aaron
The whole thing is hilarious. from Rakshith's attitude to the rest of the usual's who don't seem to 'get it'.
I doubt we will see any retractions posted on twitter, or a post on the coldfusion team blog.
I expect the PSIRT will be asking questions of the CF team. Not my intention but an accomplishment all the same.
Brad, Adam, thanks for your help with this.
Aaron