KrebsonSecurity reported that the hackers exploited bugs in ColdFusion were to blame, as they were in break-ins at Smucker’s and SecurePay. Most recently, an intrusion into French hardware maker LaCie suffered a yearlong breach putting the data of anyone who purchased one of their flagship rugged external hard drives during the past year at risk. Since then, a number of breaches have been reported where exploits for ColdFusion vulnerabilities were likely used. Lost were customer contact information as well as encrypted payment card information and other information used in customer orders. Originally, Adobe reported that data for 2.9 million customers was also accessed, but that number was quickly amended to 38 million.
#ADOBE COLDFUSION 11 ACCESSIBILITY CODE#
Seven months ago, Adobe suffered a massive breach of its internal network where hackers were able to make off with source code for a number of its products, including ColdFusion. Name of Product/Version: Adobe ColdFusion Server (2021 Release) Product Description: The 2021 release of Adobe ColdFusion Enterprise gives you the ability to develop and deploy cloud-native applications with ease. Finally, developers are now able to enable SSL for the WebSockets proxy, Uhley said. Also, cfmail built into ColdFusion can now send S/MIME encrypted emails. Uhley said ColdFusion 11 now supports PBKDF2, a password-based key derivation function, that allows developers to create encryption keys from passwords. That capability has been extended to a number of other components in ColdFusion 11.Īdobe also made a number of security enhancements to existing ColdFusion APIs. Secure Profile is a set of security defaults introduced in ColdFusion 10 in version 11, site administrators can further lock down admin panels, denying access to a range of IP addresses, for example, that could help choke off certain types of attacks. “However, there are many situations where normal HTML and CSS can be used in a malicious manner. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine,” says a description on the OWASP site. “The term ‘malicious code’ in regards to web applications usually mean JavaScript. AntiSamy is an API that checks user content supplied in HTML/CSS, such as profile information or comments, for malicious code. The additional OWASP tools include features from the organization’s AntiSamy Project. “Administrators will now find it even easier to lock down their environments.” “Overall, this latest iteration of the platform increases flexibility for developers, while enhancing security,” said lead security strategist Peleus Uhley in a statement. Adobe said the enhancements give developers more security controls that can be integrated into applications.Īdobe said the enhancements give developers more security controls that can be integrated into applications. Those include a new set of OWASP tools integrated into the platform, additional Secure Profile controls that were originally introduced in ColdFusion 10, and new crypto enhancements to existing APIs.