Adobe is out this week with a fix for their ColdFusion and JRun technologies. In total, the two technologies were at risk from at least 7 different vulnerabilities.
US-CERT issued a warning on the vulnerabilities earlier this week.
“These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, or operate with escalated privileges,” US-CERT warned.”
Both ColdFusion and JRun are application servers. ColdFusion has its own file types while JRun is a Java application server.
The ColdFusion updates include two cross-site scripting
vulnerabilities, that could potentially lead to arbitrary code execution
(CVE-2009-1872 and CVE-2009-1877).
On the less serious, but still important list of bug fixes is an update for ColdFusion that
fixes a double-encoded null character
vulnerability that could potentially lead to information disclosure
(CVE-2009-1876). There is also a fix for a potential privilege escalation (CVE-2009-1878) issue that is the result of a session fixation vulnerability.
The JRun updates include what Adobe’s advisory refers to as,”.. multiple
management console cross-site scripting vulnerabilities that could
potentially lead to code execution (CVE-2009-1874). There is also an update for a management console directory traversal
ColdFusion is an application server originally developed by a vendor
called Allaire, then acquired by Macromedia in 2001 for $360 million.
Macromedia in turn was acquired by Adobe in 2005. Adobe has since updated ColdFusion to work well with Adobe’s AIR and Flex technologies. JRun is a Java EE app server that also came to Adobe by way of the Macromedia acquisition.
The JRun and ColdFusion updates come just a month after Adobe was hit by a pair of critical issues in its Flash and PDF technologies. At least one researcher has claimed that Adobe isn’t moving fast enough to update users with Flash and PDF.
When it comes to ColdFusion and JRun the attack surface is somewhat smaller in my view. Instead of tens of millions of home users that need to update Flash, there are likely at best tens of thousands (or just thousands) of users that may need to update ColdFusion and JRun.