Although there may have been a little bit of confusion the first time around, a security fix released by Adobe is now completely ready to make ColdFusion users safer. Adobe has resolved one small problem with the fix and all users would do well to apply the update at this point.
A little background information: as explained by a security bulletin, “Important vulnerabilities have been identified in ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX. The vulnerabilities could lead to cross-site scripting and information disclosure.”
It turned out that some sort of naming conflict cropped up when a fix was applied with Cumulative Hot Fix 4 for ColdFusion 8.0.1, though, which was unfortunate.
But a technote explained the problem and the solution, stating, “Vulnerability CVE-2010-1294, included in this security fix, now prevents unauthorized access to datasources via the Service Factory. This may have caused issues with certain frameworks/applications that were accessing datasources without proper authentication. The fix has been updated to correct these issues by allowing unauthenticated access to only the datasource connection. Details of the datasource are only allowed with authenticated access.”
Granted, goofs like this aren’t exactly confidence-inspiring, and it’s hard to imagine that some ColdFusion users wouldn’t be happier if the security fix hadn’t proven necessary in the first place. Still, the rapid application development platform is at least more secure for everyone now, and by releasing the fix, Adobe showed that it hasn’t forgotten about ColdFusion.