Coldfusion and the Java CVE-2012-1723 vulnerability.

Question

I have a few questions about Coldfusion, specifically for me 9.0.1, regarding Java. I updated the JVM for Coldfusion in the past due to a vulnerability to a version that was sanctified by Adobe to use, version 1.6.0_24. This was the vulnerability: CVE-2010-4476

So first is this particular vulnerability, CVE-2012-1723, applicable to the Coldfusion server? Second, what is the current version of Java sanctified by Adobe? Last, what are the consequences of using a non-sanctified version of Java with Coldfusion?

pete_freitag · Accepted Answer

Adobe has not "certified" ColdFusion 9 on a newer version of the JVM than version 1.6.0_24. The unofficial word on the street is that Adobe support will still work with you if you have a newer JVM, though they might ask you to roll it back to 1.6.0_24. Adobe has only certified a new version of a JVM outside of a major release twice to my recollection, the first time was when the day light savings time rules changed, and the second was the DOS vulnerability that exists in versions prior to 1.6_0_24. Adobe will be supporting Java 7 for CF9 and 10 due to Java6 EOL as per this blog entry: http://blogs.coldfusion.com/post.cfm/java-7-support-for-coldfusion The vulnerability CVE-2012-1723 allows for bypass of the java security sandboxs, so this might be something you would be concerned about on a ColdFusion server... if you have sandbox security turned on.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded