Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Security Patch available for ColdFusion MX and JRun 4.0 Web Services DoS

Dec 9, 2003 3:45AM PST

MPSB03-07 Security Patch available for ColdFusion MX and JRun 4.0 Web Services DoS
Originally posted: December 9, 2003
Last updated: December 9, 2003

Summary
ColdFusion MX and JRun 4 Web Services may be vulnerable to a Denial-of-Service attack because they use the default Apache Crimson XML parser to process Web Service SOAP requests.

ColdFusion Version 5 and earlier versions do not support Web Services and are not vulnerable.

If using Web Services with ColdFusion MX or JRun 4, this fix should be applied if either:

the Web Services are available publicly
the Web Services may be accessed by a potential attacker

NOTE: This fix is NOT required if ColdFusion MX or JRun 4.0 is used only to consume Web Services provided by others.

This fix supplies a replacement Crimson XML parser in crimson.jar. This replacement parser is not vulnerable to the Denial-of-Service attack.

Severity Rating
Macromedia categorizes this issue as a critical update and recommends users immediately patch their ColdFusion MX or JRun 4.0 installation.

Affected Software Versions
JRun 4.0 (all editions)
ColdFusionMX 6.0, 6.1
ColdFusionMX 6.0, 6.1 J2EE (all editions)

What Macromedia is Doing
Macromedia has published this bulletin including patches and notified customers using affected versions.

What Customers Should Do
Download the security update patches

http://www.securityfocus.com/advisories/6154

Discussion is locked