cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Hashing denial-of-service attack -- is CF vulnerable?

le fish
New Here ,
Dec 29, 2011 Dec 29, 2011

The recent announcement of major vulnerabilities in many web application platforms to a hashing DOS attack has much of the internets abuzz:

http://arstechnica.com/business/news/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-se...

I haven't seen or heard anything regarding various versions of ColdFusion and whether it's vulnerable.

Can someone shed some light on this -- preferably someone from Adobe -- and whether a fix is forthcoming?

Thanks,

David

1.8K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 6 Replies 6
latest latest Jump to latest reply
Big_Plan
New Here ,
Dec 29, 2011 Dec 29, 2011

I would like to know as well.

The article doesn't specifically mention Coldfusion, but does mention Tomcat and Glassfish.

Can Adobe please release a statement about this, if CF is vulnerable, what actions are being taken to correct it, etc?

Thanks,

Carl

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
Dec 29, 2011 Dec 29, 2011

I would assume that CF is likely to be vulnerable. For ASP.NET, there's a workaround - setting a maximum limit of POST request data to around 200 characters. I suspect that workaround might also work with CF.

Dave Watts, CTO, Fig Leaf Software

Dave Watts, Eidolon LLC
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adam Cameron.
LEGEND ,
Dec 30, 2011 Dec 30, 2011

I can't say categorically that CF ain't affected by this, because I can't be bothered decompiling their struct implementation to see how it's been done, but I would ass-u-me that it's just a wrapper of a Java hash map (or similar), in which case it would not be vulnerable to it, because that article specifically states that Oracle have said Java is not affected by it.

It wouldn't be that hard to test & confirm one way or the other.

--

Adam

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
-__cfSearching__-
Valorous Hero ,
Dec 30, 2011 Dec 30, 2011
In Response To Adam Cameron.
... that article specifically states that Oracle have said Java is not affected by it.

--

Adam

No, the article says java is vulnerable. Oracle just said they "decided nothing .. needs to be fixed within Java itself". Sounds more like they are saying it is the responsibility of the application server to provide a better hash implementation if needed (or choose a different method of prevention).

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adam Cameron.
LEGEND ,
Dec 31, 2011 Dec 31, 2011
In Response To -__cfSearching__-

-==cfSearching==- wrote:

... that article specifically states that Oracle have said Java is not affected by it.

--

Adam

No, the article says java is vulnerable. Oracle just said they "decided nothing .. needs to be fixed within Java itself". Sounds more like they are saying it is the responsibility of the application server to provide a better hash implementation if needed (or choose a different method of prevention).

Sorry, you're quite right.  I definitely misread that, didn't I! 😉

--

Adam

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Mar 13, 2012 Mar 13, 2012
LATEST

We have released a security hot-fix addressing this issue for ColdFusion 9.0.1 and earlier. More details are http://shilpikhariwal.com/2012/03/security-hot-fix-for-coldfusion-march.html

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices