2024-08-07 –, Florentine A
Yes, an Adobe ColdFusion talk in 2024. It's been a busy 18 months for ColdFusion security -- from new 0-day vulnerabilities discovered to the wild to ancient vulnerabilities being part of ransomware playbooks. Even if you haven't embraced modern CFML, ColdFusion remains a common legacy application platform found in organizations of all sizes and verticals. In this talk we'll look at a series of ColdFusion vulnerabilities, map out the attack surface of modern ColdFusion environments, and consider some approaches for attack surface reduction. So whether you consider ColdFusion to be a modern JVM scripting language, legacy application tech debt, or an easy pentest win, this talk is for you. And if you're too cool for ColdFusion, just squint and pretend it's a Java talk.
This talk is the result of several years of thinking about, examining, and researching the attack surface of ColdFusion from both offensive and defensive perspectives.
ColdFusion has been around since 1995 and has been implemented on the J2EE platform since 2002. It includes all of the components and security considerations of a J2EE application, including the JVM, a web server, an application server, containers and connectors. And on top of that is all of the custom CFML application code that actually drives application logic.
Like many other application platforms, ColdFusion has a long history of exploitable vulnerabilities in core application components. Many of these old vulnerabilities have lived on in modern pentest reports and ransomware playbooks, as legacy systems may linger unmaintained and unpatched. And as recently as 2023, new 0-day ColdFusion remote code execution vulnerabilities have been discovered in the wild, in components that have been around for many years. Modern open source implementations of CFML engines have also added to the variety and complexity of what attackers need to exploit and how defenders must protect. As a result of looking at recent and historic ColdFusion components, vulnerabilities and exploits, I’ve attempted to identify likely places where new, undiscovered and undisclosed vulnerabilities may exist, and come up with recommendation for what organizations can do to hunt for new bugs, anticipate future areas of weakness, and pro-actively improve their defensive posture.
Brian Reilly is a security engineer focused on application security, penetration testing, and vulnerability research. He enjoys working with product teams to build and deploy secure software. His professional experience has included various roles within the financial services, technology, higher education, and state/local government sectors. He holds degrees from Georgetown University and the George Washington University.