Participant

Question

Hashing denial-of-service attack -- is CF vulnerable?

Forum|Forum|14 years ago
December 29, 2011
4 replies
1844 views

The recent announcement of major vulnerabilities in many web application platforms to a hashing DOS attack has much of the internets abuzz:

http://arstechnica.com/business/news/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack.ars

I haven't seen or heard anything regarding various versions of ColdFusion and whether it's vulnerable.

Can someone shed some light on this -- preferably someone from Adobe -- and whether a fix is forthcoming?

Thanks,

David

This topic has been closed for replies.

A

Anonymous

We have released a security hot-fix addressing this issue for ColdFusion 9.0.1 and earlier. More details are http://shilpikhariwal.com/2012/03/security-hot-fix-for-coldfusion-march.html

A

Adam Cameron.

Inspiring

I can't say categorically that CF ain't affected by this, because I can't be bothered decompiling their struct implementation to see how it's been done, but I would ass-u-me that it's just a wrapper of a Java hash map (or similar), in which case it would not be vulnerable to it, because that article specifically states that Oracle have said Java is not affected by it.

It wouldn't be that hard to test & confirm one way or the other.

--

Adam

-

-__cfSearching__-

Inspiring

... that article specifically states that Oracle have said Java is not affected by it.
--
Adam

No, the article says java is vulnerable. Oracle just said they "decided nothing .. needs to be fixed within Java itself". Sounds more like they are saying it is the responsibility of the application server to provide a better hash implementation if needed (or choose a different method of prevention).

A

Adam Cameron.

Inspiring

-==cfSearching==- wrote:
... that article specifically states that Oracle have said Java is not affected by it.
--
Adam
No, the article says java is vulnerable. Oracle just said they "decided nothing .. needs to be fixed within Java itself". Sounds more like they are saying it is the responsibility of the application server to provide a better hash implementation if needed (or choose a different method of prevention).

Sorry, you're quite right. I definitely misread that, didn't I! ;-)

--

Adam

D

Dave Watts

Community Expert

I would assume that CF is likely to be vulnerable. For ASP.NET, there's a workaround - setting a maximum limit of POST request data to around 200 characters. I suspect that workaround might also work with CF.

Dave Watts, CTO, Fig Leaf Software

Dave Watts, Eidolon LLC

B

Big_Plan

Participant

I would like to know as well.

The article doesn't specifically mention Coldfusion, but does mention Tomcat and Glassfish.

Can Adobe please release a statement about this, if CF is vulnerable, what actions are being taken to correct it, etc?

Thanks,

Carl

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded