cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Coldfusion and the Java CVE-2012-1723 vulnerability.

Guest
Aug 09, 2012 Aug 09, 2012

I have a few questions about Coldfusion, specifically for me 9.0.1, regarding Java.  I updated the JVM for Coldfusion in the past due to a vulnerability to a version that was sanctified by Adobe to use, version 1.6.0_24.  This was the vulnerability: CVE-2010-4476

So first is this particular vulnerability, CVE-2012-1723, applicable to the Coldfusion server?  Second, what is the current version of Java sanctified by Adobe?  Last, what are the consequences of using a non-sanctified version of Java with Coldfusion?

1.5K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

pete_freitag
Enthusiast , Aug 09, 2012 Aug 09, 2012

Adobe has not "certified" ColdFusion 9 on a newer version of the JVM than version 1.6.0_24. The unofficial word on the street is that Adobe support will still work with you if you have a newer JVM, though they might ask you to roll it back to 1.6.0_24.   Adobe has only certified a new version of a JVM outside of a major release twice to my recollection, the first time was when the day light savings time rules changed, and the second was the DOS vulnerability that exists in versions prior to 1.6_

...
Translate
replies 2 Replies 2
latest latest Jump to latest reply
pete_freitag
Enthusiast ,
Aug 09, 2012 Aug 09, 2012

Adobe has not "certified" ColdFusion 9 on a newer version of the JVM than version 1.6.0_24. The unofficial word on the street is that Adobe support will still work with you if you have a newer JVM, though they might ask you to roll it back to 1.6.0_24.   Adobe has only certified a new version of a JVM outside of a major release twice to my recollection, the first time was when the day light savings time rules changed, and the second was the DOS vulnerability that exists in versions prior to 1.6_0_24.  Adobe will be supporting Java 7 for CF9 and 10 due to Java6 EOL as per this blog entry: http://blogs.coldfusion.com/post.cfm/java-7-support-for-coldfusion  The vulnerability CVE-2012-1723 allows for bypass of the java security sandboxs, so this might be something you would be concerned about on a ColdFusion server... if you have sandbox security turned on.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Aug 10, 2012 Aug 10, 2012
LATEST
In Response To pete_freitag

Thanks Peter.  The feature or setting(s) of the Coldfusion server that exposes leverage to this vulnerability is what I was looking for.  Hope this also assists others in deciding how to address it for their environment.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices