Subscribe: Pete Freitag's Homepage
http://www.petefreitag.com/rss/web/
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
apache catalina  apache  coldfusion filter  coldfusion  invoke  java coldfusion  java org  java  org apache  org  security 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Pete Freitag's Homepage

Pete Freitag's Homepage



Covering ColdFusion, Java, Web Development, and other topics



Last Build Date: Thu, 19 Oct 2017 21:27:00 GMT

 



Java Unlimited Strength Crypto Policy for Java 9 or 1.8.0_151

Thu, 19 Oct 2017 21:27:00 GMT

Starting with Java 1.8.0_151 and 1.8.0_152 there is a new somewhat easier way to enable the unlimited strength jurisdiction policy for the JVM. Without enabling this you cannot use AES-256 for example.

First download the JRE, I like to use the server-jre for servers. When you extract the server-jre look for the file java.security in the jre/lib/security folder. For example for Java 1.8.0_152 the file structure looks like this:

/jdk1.8.0_152
   |- /jre
        |- /lib
              |- /security
                    |- java.security

Now open java.security with a text editor and look for the line that defines the java security property crypto.policy it can have two values limited or unlimited - the default is limited.

By default you should find a commented out line:

#crypto.policy=unlimited

You can enable unlimited by uncommenting that line, remove the #:

crypto.policy=unlimited

Now restart your java applications that point to the JVM and you should be all set.




Java 9 Security Enhancements

Thu, 21 Sep 2017 22:33:00 GMT

With the General Availability release of Java 9 scheduled for today, I thought it would be appropriate to go over the new features that pertain to security.

Implement HTTP/2 Client
Implementation of a HTTP/2 Client in the standard java SDK. JEP 110

SHA-3 Hash Algorithms
Implements the SHA-3 cryptographic hash functions defined by NIST FIPS 202: SHA3-224, SHA3-256, SHA3-384, and SHA3-512. JEP 287

Improve Secure Application Performance
Improves performance of applications that run with a SecurityManager enabled. JEP 232

Disable SHA-1 Certificates
Allows you to disable X.509 certificate chains with SHA-1 based signatures (eg TLS / HTTPS). JEP 288

TLS Application-Layer Protocol Negotiation Extension (ALPN)
Implements the ALPN TLS extension, needed for HTTP/2. JEP 244

Create PKCS12 Keystores by Default
Instead of the proprietary JKS format, use standard PKCS12 format. JEP 229

OCSP Stapling for TLS
Implements OCSP stapling via TLS Certificate Status Request Extension and Multiple Certificate Status Request Extension. JEP 249

Leverage CPU Instructions for GHASH and RSA
Improves performance by leveraging CPU instructions. JEP 246

DRBG-Based SecureRandom Implementations
Implements Deterministic Random Bit Generator defined in NIST 800-90Ar1. JEP 273

Filter incoming serialization data
Allows filtering of incoming streams of object-serialization data. JEP 290

Datagram Transport Layer Security (DTLS) API
Defines an API for working with DTLS (RFC 4347). JEP 219

Overall some nice security improvements to look forward to.




Upcoming CFML Conferences in April 2017

Tue, 04 Apr 2017 22:14:00 GMT

I will be speaking at two conferences this month.

The conference is the Adobe CFSummit East also known as the Adobe ColdFusion Government Summit. It will be held on April 18-19, 2017 in Washington DC. The first day is two half day hands on sessions, I will be presenting the first session which is a CFML security training class (sold out). On day two I will be presenting a 1hr session: Bulletproof Your Adobe ColdFusion Server with the Lockdown Guide.

This conference is free to attend, so if you are on the east cost it may be worth it to consider attending. Other speakers besides myself include: Rakshith Naresh, Giancarlo Gomez, Matt Hintze, Elishia Dvorak, Charlie Arehart, Dan Wilson, Nolan Erck, Masha Edelen, and Dan Fredericks. The opening keynote will be given by Tridib Roy Chowdhury & Steve Drucker. My company Foundeo Inc. is a sponsor of the event.

The following week is the Into the Box Conference. This conferences is loaded with tons of great speakers and should be a really good place to learn the latest techniques for modern CFML development. While the conference organized on by the makers of the ColdBox framework, you don't need to use ColdBox to get a lot out of this conference. Many of the tools in the Box ecosystem can be utilized on their own and can provide great benefits to developers. Take for example CommandBox, if you are not using this tool spend 5 minutes looking into it right now and find out why you should be.

At Into the Box I will be speaking on Securing CFML Codebases, a look at techniques to improve the security of your existing CFML codebase.




CFSummit 2016 Slides

Tue, 18 Oct 2016 01:02:00 GMT

Here are my slides from the Adobe ColdFusion Summit 2016 conference in Las Vegas:

The conference appeared to be a great success with about 500 people in attendance. My company Foundeo Inc. was a Gold Sponsor again this year. I met a lot of great ColdFusion developers, thanks for saying hello.

I also presented a full day pre-conference workshop on CFML Security along with Dave Epler. This session went very well and was sold out at 50 people. For this session (and other CFML security training classes I teach) I built a CFML web application called Bank of Insecurity you can find the code on github here.




Securing Legacy CFML - dev.Objective() 2016 Slides

Mon, 20 Jun 2016 23:10:00 GMT

Back from another great dev.Objective() conference in Minneapollis. This year Foundeo was a sponsor, and I spoke on Securing Legacy CFML Code. Find the slides here.




My CFSummit 2015 Slide Decks

Fri, 13 Nov 2015 02:05:00 GMT

I was fortunate enough to be able to do two different talks this year at the Adobe CFSummit 2015 conference.

My first session, was a hands on Pre-Conference workshop taught by David Epler and myself, it was titled: Hack & Fix - Hands on ColdFusion Security Training. This was a 3 hour workshop which had a VM preloaded with the hackable CFML training app: HackableType that was first created by Jason Dean and I in 2010. Students then try to hack the vulnerable code, and then fix it. It went very well thanks to David, and all who attended!

Hack & Fix - Hands on ColdFusion Security Training - View Slides

For my second session I presented on Locking down ColdFusion Servers, an overview of the ColdFusion 11 Lockdown Guide. View Slides

My company Foundeo was a Gold sponsor of CFSummit 2015. I enjoyed meeting lots of our HackMyCF and FuseGuard customers and hopefully a few soon to be customers!




Adding Chrome Custom Search for CFDocs

Fri, 16 Oct 2015 20:07:00 GMT

I read some complaints recently that the new Adobe documentation site is not friendly with a chrome custom search engine (because the URIs are different based on what the tag/function starts with).

If you want to setup a custom search engine in chrome, it is really easy:

  1. Using Chrome go to chrome://settings/searchEngines
  2. Scroll down to an empty text box that says Add a new search engine
  3. In the first box type cfdocs.org in the second box type cf and in the third box type http://cfdocs.org/%s

Now type cf followed by a space in the address bar, and then a tag or function name.




Disable Flash Remoting on ColdFusion Servers

Thu, 03 Sep 2015 20:37:00 GMT

Due to the recent security vulnerability ABSP15-20 / APSB15-21 in BlazeDS there has been increased interest in disabling flash remoting when not needed -- if you followed the lockdown guide for CF9, CF10, or CF11 you should already have it disabled. This only applies to ColdFusion 10 and ColdFusion 11 right? Nope! Your ColdFusion 7-9 servers may also be vulnerable to this issue but since they are considered EOL or End Of Life, they are no longer supported or patched by Adobe so there is no hotfix to apply. If you do need flash remoting on these servers you can manually update the flex-messaging-core.jar file in your lib directory. I tested this on a CF 9.0.2 server tested that it worked by using the ColdFusion Server Monitor. David Epler has posted some instructions for manually patching a CF9 server. How can I disable Flash Remoting on ColdFusion Servers There are a few ways this can be accomplished, I recommending doing each way to provide layers of assurance or defense in depth. Uncheck: Enable Flash Remoting in ColdFusion Administrator - this is the easiest way to go, but I don't trust this method to fully disable anything that might be vulnerable to a security issue. Block URIs on your web server web server blocks are always my favorite approach because they are blocked before hitting the CF server at all, they are the most efficient way to protect resources in most cases. If you are using IIS 7+ you can block (if you are using IIS6 or lower you are running an EOL operating system with many other security issues to consider, time to upgrade!) using Request Filtering. It can run on a per site basis or on a global basis - for security rules like this it makes sense to run them on a global basis. Click on the URL tab and then Deny Url Sequence to add the following URIs to block, test them out in your browser to make sure you get a 404: /flex2gateway /flashservices /flex-internal /CFFormGateway /cfform-internal To block them on Apache you could do something like this globally in httpd.conf: RedirectMatch 404 (?i).*/flex2gateway.* RedirectMatch 404 (?i).*/flashservices.* RedirectMatch 404 (?i).*/flex-internal.* RedirectMatch 404 (?i).*/cfformgateway.* RedirectMatch 404 (?i).*/cfform-internal.* Using nginx you can do something like this (thanks Joseph Lamoree) : location ~* ^/(flex2gateway|flashservices|flex-internal|CFFormGateway|cfform-internal|messagebroker) { return 403; } Keep in mind that when blocking only on the web server Flash Remoting is still enabled so you could still use the server monitor over the Internal Web Server, or if you have it running on its own port. Disable by Removing Servlet Mappings Removing Servlet Mappings removes the URL pattern to Servlet (the java code that executes requests) definition at the JEE servlet container level. It is done by editing the web.xml file found in the WEB-INF folder. You can either delete the ... tag or comment it out with an <-- XML comment --> (only uses two dashes). Here's an example of a servlet mapping on CF9: MessageBrokerServlet /flex2gateway/* You can also disable the servlet mappings that have the following URL patterns: /flashservices/gateway/* /flex-internal/* /CFFormGateway/* /cfform-internal/* You can also remove the Servlets that correspond to these servlet-mapping but I have seen cases where CF would not start due to removing a servlet that is expected to be there. Removing unnecessary servlets can improve your CF server startup time and potentially reduce resource utilization, so it may be worth experimenting with for you. What if I am running Railo / Lucee There is a good chance your s[...]



HackMyCF Adds SSL/TLS Scanner

Wed, 27 May 2015 20:37:00 GMT

I'm pleased to announce a feature of HackMyCF that I've been excited about for a while: SSL / TLS Scanning.

If you stay up to date with security news you know that there have been a large number of vulnerabilities or weaknesses discovered in SSL or TLS protocols and implementations. For example, we have LogJam, Heartbleed, POODLE, CRIME, BEAST, and those are just the ones with cool names :)

While we have been issuing warnings when SSLv2 and SSLv3 (poodle) are enabled for a while, but here are some of the new checks we have added:

  • Warn if TLS 1.2 is not enabled
  • LogJam: Weak DH Group Size (less than 2048 bits) and some common prime warnings (not fully inclusive)
  • Warn if SSL Certificate will expire soon, or is expired
  • Warn if certificate is signed with SHA1 (will cause warnings/errors in recent Chrome versions)
  • Warn if TLS compression is enabled (CRIME)
  • Test for OpenSSL Heartbleed vulnerability
  • Warn if Public Key Size less than 2048 bits

Here's a screenshot from an example HackMyCF report:

Customers can enable this feature if they have set protocol = HTTPS in their server settings.




IncompatibleClassChangeError after ColdFusion 11 Update 5

Mon, 20 Apr 2015 23:24:00 GMT

If you use the Encrypt function in ColdFusion 11, you may experience an error that looks like this: java.lang.IncompatibleClassChangeError: Expected static method coldfusion.runtime.CFPage.Encrypt(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; at cfprobe2ecfm877726397._factor9(/hackmycf/probe.cfm:258) at cfprobe2ecfm877726397.runPage(/hackmycf/probe.cfm:1) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:246) at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:736) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:572) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.IpFilter.invoke(IpFilter.java:45) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:466) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:42) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:142) at coldfusion.filter.LicenseFilter.invoke(LicenseFilter.java:30) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:58) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:219) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at coldfusion.inspect.weinre.MobileDeviceDomInspectionFilter.doFilter(MobileDeviceDomInspectionFilter.java:121) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:422) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:744) The solution is to clear the Template Cach[...]