Blog

The world is abuzz with the OpenSSL "heartbleed" bug and the ColdFusion community has also been going 'round about it too.  Firstly, a server (like Apache, Nginx, Tomcat, etc) can be exploited by a client on a hackers machine requesting an SSL connection.  In addition, a client (CURL, wget, CFHTTP, etc) can be exploited if connecting to a malicious SSL endpoint.  So basically, the bug has the ability to flow both ways. 

For most CF sites, they are using IIS, Apache, or Nginx to serve content so ColdFusion has no bearing on the vulnerability from that end.  Any CFML application, however, can connect to a malicious SSL endpoint.  Of course, it only matters if the OpenSSL library is specifically being used.  Any other SSL implementation is safe.

To date, neither Adobe or Railo have yet to make public announcements via security bulletins or their official blog.

UPDATE April 17: Railo responds here.

UPDATE April 18: Adobe responds here:

There have been a handful of less "official" conversations in mailing lists and Twitter.  As best I can tell, neither Adobe ColdFusion or Railo use OpenSSL and therefore are safe.  Of course, any other parts of your web stack (even bundled libraries) might use OpenSSL.  Gert from Railo has promised a blog entry "soon" to address the issue regarding Railo.  There has been some complaining about the lack of official word from Adobe, and my understanding is that the ColdFusion team's hands are tied by the Adobe PSIRT who are the only ones allowed to comment publicly on security matters.

 The general consensus is they could certainly say something, even if it was simply, "Hey, we're looking into it and will get back to you soon".  That as it is, I E-mailed Adobe's PSIRT myself and got a reply that seems as close to an official reply as they are willing to provide at this point though I'm unclear why they're talking about it one-on-one but refraining from public statements.  For the sake of those who haven't E-mailed PSIRT, I will post their reply here for the benifit of the community until something official comes out.  Also, for funsies, I'll post my original E-mail plus my followup.  If I hear back again, I'll update this post.

From: Brad Wood
To: [email protected]
Date: Wed, Apr 16, 2014 at 5:45 AM
Subject: Adobe ColdFusion and Heartbleed

Dear Adobe PSIRT team, 

 

I would like to encourage you to please make a public announcement regarding Adobe ColdFusion and if it is vulnerable to the latest OpenSSL "heartbleed" bug. This is a very significant bug that has people around the world scrambling to patch their software.  Even if Adobe ColdFusion is not susceptible to the recent "heartbleed" bug I would strongly suggest making an announcement on your blog to state that or authorize the ColdFusion team to do so on their blog. 

 

Many people in the CF community have noticed the silence on this issue and an official announcement really needs to be made in order for your customers to feel safe and to verify with their employers that they have all the patches they need.  Communication is very important and I hate to see the Adobe ColdFusion team getting beat up for not addressing this issue publicly on their blog.  Please authorize them to make some kind of statement on this.

 

Thanks!

 

~Brad

From: [email protected]
To: Brad Wood
Date: Wed, Apr 16, 2014 at 1:39 PM
Subject: RE: Adobe ColdFusion and Heartbleed

Hello Brad,

 

Thank you for contacting us.  We appreciate your feedback.  Please note that ColdFusion does not use OpenSSL. However, customers who are using an external web server with their ColdFusion deployment (ex. Apache) should test for CVE-2014-0160. If affected, customers should follow the recommendations provided in the OpenSSL security advisory, available at https://www.openssl.org/news/secadv_20140407.txt. Adobe

also recommends consulting the ColdFusion lockdown guides for security best practices:

https://www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf

http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf

 

We hope this information is helpful.  Please let us know if you have additional questions.

 

Thank you,

Adobe Product Security Incident Response Team

From: Brad Wood
To: [email protected]
Date: Wed, Apr 16, 2014 at 3:13 PM
Subject: Adobe ColdFusion and Heartbleed

Dear PSIRT Team, 

 

Thanks for the reply.  I appreciate the links and concern.  Let me be very clear though-- I am not asking about this for the sake of my servers, I am letting you know that Adobe needs to make a public official statement on the matter for the entire community to see.  Even if your blog entry said nothing more than what you put in your E-mail reply that would be great-- but the community has noticed the lack of public response by Adobe to this matter and it's reflecting quite poorly on your PR.

 

If the PSIRT team doesn't have time to make a quick announcement, please authorize the ColdFusion team to put out a blog post.  This would do a lot for the community as silence breeds distrust and most every other major technology stack have already addressed their platform publicly-- even if just to say they are not vulnerable.

 

Thanks!

 

~Brad

 

UPDATE April 18:

From: Brad Wood
To: [email protected]
Date: Thu, Apr 17, 2014 at 9:50 PM
Subject: Adobe ColdFusion and Heartbleed

Dear PSIRT team,

 

Can you please respond to the comments on my blog made by a community member named "Aaron".  He has listed several binaries that ship with ColdFusion that supposedly use OpenSSL.  His comments can be found here:

 

http://www.codersrevolution.com/blog/adobe-product-security-incident-response-team-on-coldfusion-and-heartbleed#comment_798

 

Also, if you haven't seen it-- here is the official response from the Railo team (a competitor of Adobe CF) which categorically addresses the uses of SSL inside Railo server.

 

http://blog.getrailo.com/post.cfm/railo-server-and-the-heartbleed-vulnerability

 

Thanks!

 

~Brad

From: [email protected]
To: Brad Wood
Date:  Fri, Apr 18, 2014 at 2:58 PM
Subject: Adobe ColdFusion and Heartbleed

Hi Brad,

Thanks to you and Aaron for bringing this to our attention.  With your input, we started a deeper investigation of ColdFusion components.  We have also clarified our blog post regarding OpenSSL in ColdFusion (http://blogs.adobe.com/psirt/?p=1085).  Should additional information arise from our investigation we'll provide an update to our blog.

 

Thank you again for your help,

Adobe Product Security Incident Response Team

With the release of DataBoss 1.3 today, I thought I'd share a quick story about my recent first project diving into DataBoss.  Full disclosure: DataBoss is a commercial product and I work for the company that makes it.  None the less, I thought it was pretty freaking useful so I thought I'd throw out this quick post.

For those of you who don't know what the heck DataBoss is-- it's a Dynamic ORM Administrator.  Basically, it can scaffold out CRUD (Create, Read, Update, Delete) screens for pretty much any database structure and it's all based on ColdFusion ORM.  It runs on Adobe ColdFusion as well as Railo and the minimum to get it running is to create ORM entity CFCs, drop them in your models folder and reload ORM via the interface.  It will pick up your entities, read all the relationships, and create all the screens necessary to manage the data in your database complete with formatting, validation, rich text editors, date dropdowns, etc.

So, the recent project I got assigned was for a company that does development services.  They had a project they had been working on for one of their clients that involved a nicely-normalized database of about 20 tables that supported a multi-lingual ordering and reservation system.  They had the front end system built out with ColdFusion but the problem was the deadline was getting very close and they weren't going to have to time build the backend of the system that allowed all the products, descriptions, and companies to be configured.  They needed to have a backend over to their client in a matter of days to start entering data, but there simply wasn't enough time to build one from scratch.

Enter DataBoss.  I was tasked with setting up a data-entry app they could use to manage their database until they had time to finish the backend.  The database that had already been built was well-structured and contained many examples of one-to-many, many-to-one, and many-to-many relationships.  I was given a backup of the data structure and a diagram that showed all the foreign key relationships.  Using Adobe's CFC Generator for ColdFusion Builder, I selected the tables via the RDS datasource view and stubbed out all the ORM entities in script.  Don't try to use the CF Builder plugin to create relationships.  It's horrible and you'll be sorry.  For just stubbing out the entities and the properties, it's pretty good though and saves a lot of time.

DataBoss is packaged as a portable ColdBox module which means you can drop it into an existing ColdBox app, or just deploy it as a small standalone app.  I chose the latter and dropped my ORM entities in the /model folder.  After adding my datasource name to Application.cfc and changing dbCreate to "none" the app sprang to life and displayed a list of all my entities in a drop down.  There's settings in a JSON file to control pagination as well as the internationalization of the DataBoss app itself.  DataBoss already comes bundled with German translations which was nice since this project was for a German company.  

At this point, I went through and configured all the relationships and added metadata to each entity and property that controlled how it displayed on the screen, what kind of validation it applied, and what form controls to display for each field.  After a bit of tweaking, we had really nice CRUD screens fleshed out that even used 24-hour clock and dd/mm/yyyy date formats to match the local standard.  I enabled the Basic HTTP Auth built into DataBoss, and it was ready to deploy publicly!  All in all, we had the entire admin finished and ready to deliver to the customer in just a few days.

I was pretty pleased with how easy it was to get working, and was a major saver for them to get the edit screens to their customer in time.  And now, they can use those ORM entities for future development on the application.  DataBoss Standalone is only 99 bucks which isn't bad considering the time it can save you.  Think about using it for that old legacy database you have no edit screens for, or to help you create your next database.  You can also download a trial to play around if you want.

Product Site:

http://www.data-boss.com/

Docs:

http://www.data-boss.com/docs/index.html

I will be presenting on how to get started using Couchbase for caching and NoSQL at a TeraTech webinar next month.  Couchbase is an up-and-coming server that mixes caching capabilities with a NoSQL JSON document store.  It has excellent performance and the best clustering/sharding/failover setup I've seen.  I'll be demoing the brand new CFML SDK for Couchbase as well as the Ortus Railo Extension.  Here's the session description.

nteractive applications have changed dramatically over the last 15 years. Today, they must support millions of users simultaneously and downtime is no longer acceptable. Three mega trends – Big Data, Big Users, and Cloud Computing – are driving the adoption of NoSQL technology over traditional relational SQL.

NoSQL document stores are reinventing the way we design our databases and cache layers. Couchbase open source server is a unique database with unparalleled performance, automatic replication and failover. 
In this webinar:

• how document databases differ from the traditional RDBMS
• the benefits and tradeoffs they bring to the table
• a hands-on look at the new CFCouchbase CFML SDK
• native caching and session persistence via the Railo Couchbase Extension.
• Q&A

Register for free Now

So I was at a friend's house Sunday night playing a game when this odd fact came up in conversation:

If you were to fold a piece of paper in half 42 times, it would reach the moon.

Several of those around the table scoffed at this, exclaiming that a single sheet of paper was simply too thin to have its thickness reach any substantial amount after only a few dozen folds.  I pointed out it was entirely possible seeing as how doubling the thickness with each fold would lead to an exponential increase in thickness that would increase slowly at first before quickly getting larger.  My friends were clearly imagining a linear increase in thickness.

I also knew that it is pretty much impossible to fold a single sheet of paper more than about 8 times -- though Myth Busters once folded a giant sheet the size of a football field 10 times. The resulting thickness (after hitting it with a bulldozer) was almost a foot tall, though there was quite a bit of air mixed in with the 1,024 sheets.  The formula for finding out how many of something you'll have after doubling it N number of times is as follows where O is the original number (or size in our case).

o * 2^(n)

A standard sheet of paper is about 0.1 mm so 42 folds would give us this:

0.1 * 2^(42) = 439,804,651,110 mm

That's 440 billion millimeters, or 439,804 kilometers.  The moon on average is 384,400 kilometers from Earth according to Google.  I'd say this checks out.  

To help visualize the data, I created a quick spreadsheet and graph that tracks the thickness of the paper for each fold.

And to graph that out in kilometers looks like this:

We've created a fun trailer for our Into The Box conference this May.  Please check it out and then register to come for a great day of learning that doesn't take itself too seriously :)

Tonight the Nebraska ColdFusion User Group (NECFUG) rebooted themselves and I was honored to be able to share a preview of my cf.Objective() session for this year, What's A Pull Request (Contributing To Open Source).  I'd love to have feedback on the presentation so I can make it as good as possible for cf.Objective() this May.  Please give it a listen if you have the time and drop me a line with any thoughts you have.

• Connect Recording - http://experts.adobeconnect.com/p54q4j3jxh0/
• Slide Deck - Whats_a_Pull_Request.pdf

It's bothered me for a while, that GitHub and Gist don't have proper syntax highlighting for full-script CFCs like this one.  

They handle tags fine, and even do script inside of a <cfscript> tag, but just leave full script components as black text all the way down the page.

 ColdFusion has allowed all-script components since version 9 which was released 5 years ago.  I always just assumed that GitHub was aware of the problem and someone somewhere was hard at work resolving it.  Silly Me.

GitHub uses this Ruby library to determine what language a while is written in:

https://github.com/github/linguist

Which in turn uses this Ruby wrapper to spin up the syntax highlighter:

https://github.com/tmm1/pygments.rb

But that library is just a proxy to this Python library that actually does the color coding:

https://bitbucket.org/birkenfeld/pygments-main

It looks like there's already a ticket from 2012 to add support and Ben Riordan took a whack at it last year with no luck.  So I've forked the Pygments library, but know nothing of Python so I'm asking anyone who does to help me get this figured out.  Since script already works inside <cfscript> tags, it sounds like all the pieces are there-- we just need to properly identify script components and use the correct highlighter for them. Comment here or shoot me an E-mail if you'd like to help!

Update: There's an updated blog post with more current results here: 

http://www.codersrevolution.com/blog/whos-had-more-vulns-redux-php-java-coldfusion-ror-or-net

I get tired of people on complaining about ColdFusion as a technology choice because it's "so insecure".   I regularly am told that it has more holes, more vulnerabilities, and a worse track record than other platforms. That's why I compiled this quick chart showing the number of Common Vulnerabilities and Exposures (CVE) by year for CF as well as PHP and Java (as reported by cvedetails.com) which are two of the most-used languages on the web.  I also threw in Apache Tomcat for comparison since it completes in the web space and CF10 actually runs on a version of it.

Click to enlarge

So to break this down, the red line riding out on top with a huge spike in 2007, that's PHP.  The purple line coming out of the backfield for a solid lead (?) at the end is Java.  The yellow line is Tomcat who still manages 10-15 vulns a year (and the only one to go LOWER than CF.  And that green line on the bottom with the lowest number of vulns every year, and nothing even reported until 2006- that would be CF.

So, sure-- there's a lot more info than just the counts on the chart.  My point also isn't that PHP or Java are bad-- I'm just trying to make the point that oft-used technologies are targeted by crackers and nobody is perfect.  And according to this data, CF is doing way better than several of the main techs out there.  It should also be noted that CF, Java, and PHP were all created the same year-- 1995, so don't give me any of this "old" crap either.  (Tomcat was created in 1999)

References:

• http://en.wikipedia.org/wiki/Timeline_of_programming_languages
• http://en.wikipedia.org/wiki/Apache_Tomcat
• http://www.cvedetails.com/vendor/74/PHP.html
• http://www.cvedetails.com/product/8739/Adobe-Coldfusion.html?vendor_id=53
• http://www.cvedetails.com/product/1526/SUN-JRE.html?vendor_id=5
• http://www.cvedetails.com/product/887/Apache-Tomcat.html?vendor_id=45