=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN103
_____________________________________________________________________

DATE                      : 09/02/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe ColdFusion version 8.0, 8.0.1, 9.0, 9.0.1.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb11-04.html
______________________________________________________________________

Security update: Hotfix available for ColdFusion

Release date: February 8, 2011

Vulnerability identifier: APSB11-04

CVE number: CVE-2011-0580, CVE-2011-0581, CVE-2011-0582, CVE-2011-0583,
CVE-2011-0584

Platform: All Platforms

SUMMARY

Important vulnerabilities have been identified in ColdFusion 9.0.1 and earlier
versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to
cross-site scripting, Session Fixation, CRLF injection and information disclosure.
Adobe recommends users update their product installation using the
instructions provided below.

AFFECTED SOFTWARE VERSIONS

ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 for Windows, Macintosh and UNIX

SOLUTION

Adobe recommends affected ColdFusion customers update their installation using the
instructions provided in the technote:
http://kb2.adobe.com/cps/890/cpsid_89094.html.

SEVERITY RATING

Adobe categorizes this as an important update and recommends that users apply the
latest update for their product installation.

DETAILS

Important vulnerabilities have been identified in ColdFusion 9.0.1 and earlier
versions for Windows, Macintosh and UNIX. These vulnerabilities could lead to
cross-site scripting, Session Fixation, CRLF injection and information disclosure.
Adobe has provided a solution to address the reported vulnerabilities. It is
recommended that users update their product installation using the instructions
provided in the "Solution" section above.

This update resolves various cross-site scripting vulnerabilities in the
ColdFusion administrator console (CVE-2011-0580).

This update resolves a CRLF injection with various tags which allow adding
headers (CVE-2011-0581).

This update resolves an information disclosure vulnerability in the ColdFusion
administrator console (CVE-2011-0582).

This update resolves a cross-site scripting vulnerability with the cfform tag
(CVE-2011-0583).

This update resolves a Session Fixation vulnerability for ColdFusion sessions
(CVE-2011-0584).

ACKNOWLEDGMENTS

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:

Richard Brain of ProCheckUp Ltd (CVE-2011-0580)
HongZhen Zhou of McAfee (CVE-2011-0580)
Tenable Network Security (CVE-2011-0580)
Bogdan Calin (CVE-2011-0580)
Michael Dominice (CVE-2011-0580)
Pete Freitag of Foundeo (CVE-2011-0581)
Tom Sellers of FadedCode (CVE-2011-0582)
Chad Armond (CVE-2011-0583)
Jason Dean of 12robots (CVE-2011-0584)


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================