cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Spring4Shell Vulnerability

PhilD-Work
New Here ,
Apr 01, 2022 Apr 01, 2022

Copy link to clipboard

Copied

Do we know if ColdFusion, any supported version, is affected by the just released Spring Framework vulnerability,https://tanzu.vmware.com/security/cve-2022-22965? I need to provide updates to my InfoSec team,

 

Phil

TOPICS
Security

Views

1.4K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 7 Replies 7
latest latest Jump to latest reply
Charlie Arehart Community Expert
Community Expert ,
Apr 01, 2022 Apr 01, 2022

Copy link to clipboard

Copied

While the IT world is indeed up in arms again about yet another seeming wide-ranging zero day, I'll say that as we await a reply from Adobe, it's worth noting that though both CF and Spring are based on Java, CF is not based on Spring. And as the vuln seems specific to Spring (from all I've read, since people started asking me yesterday in my role as a CF consultant), it seems therefore that this vuln does not affect CF.

 

All that said, I am not presenting any official stance, just a reasoned assertion. (In situations like this, many will be reluctant to even offer that.) I wanted to put this out as at least one take on things. 

 

Let's see if Adobe may come out with an official position, whether in reply here or in another forum thread/announcement or portal post (coldfusion.adobe.com). Or CF security maven Pete Freitag may offer his more careful assessment.

(FWIW, I had reached out earlier today to both of THEM about this, since so many are asking.) 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
PhilD-Work
New Here ,
Apr 01, 2022 Apr 01, 2022

Copy link to clipboard

Copied

In Response To Charlie Arehart

Charlie,

I'm in agreement with your assessment of the situation and while it looks like it is limited to applications built and deployed as a WAR on Tomcat, we all know how Enterprise InfoSec folks are with "Vendor must verify" which is why I figured I'd start a thread in case others were in the same situation,

 

Phil Duba

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Charlie Arehart Community Expert
Community Expert ,
Apr 01, 2022 Apr 01, 2022

Copy link to clipboard

Copied

In Response To PhilD-Work

Of course, and that's why I prefaced my reply with, "as we await a reply from Adobe, it's worth noting"...and I even ended with the two paragraphs I did, to acknowledge that mine is NOT that Vendor verification some would seek. But to be clear, since you started with "do we know", I presumed you were asking "the community" as much as Adobe. As always, I just want to help.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
blue snaggletooth
Community Beginner ,
May 17, 2022 May 17, 2022

Copy link to clipboard

Copied

In Response To Charlie Arehart

Hi Charlie (and all),

 

Has Adobe come out with a statement on the spring4shell issue that you know of.  I can't find anything official anywhere.  Thanks for any info you can give!

 

John

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Priyank Shrivastava. Adobe Employee
Adobe Employee ,
May 17, 2022 May 17, 2022

Copy link to clipboard

Copied

In Response To blue snaggletooth

Hi All,

 

CF is not impacted by this vulnerability and there is no need for any fix.

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
blue snaggletooth
Community Beginner ,
May 17, 2022 May 17, 2022

Copy link to clipboard

Copied

LATEST
In Response To Priyank Shrivastava.

Thanks for the reply!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Charlie Arehart Community Expert
Community Expert ,
May 17, 2022 May 17, 2022

Copy link to clipboard

Copied

In Response To blue snaggletooth

No, they have not. I had asked previously for any and they did not plan to.

 

At least now we have Priyank's reply here that I see he just offered. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices