ColdFusion, Connectors, and CFAdmin Security (for more than just ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11)

Introduction

This post is about ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11, but it's also about more than just those versions.  Because access to the ColdFusion Administrator (CFAdmin) should be tightly controlled regardless of what version of ColdFusion you're running.  

The release notes for CF2023 U5 and CF2021 U11 mention unspecific "connector-related enhancements," with no details.  It appears that these enhancements include much stricter default access control to CFAdmin resources through the connectors.  The new connectors will block all access to CFAdmin resources, so you'll need direct access to Tomcat (or your alternate Java Application Server) to access CFAdmin.  ColdFusion expert Charlie Arehart and a few others have made comments here and here regarding this new behavior as well.  

This change may cause problems for users who want remote access to CFAdmin via a connector, and at this time, I'm unaware of any workarounds other than rolling back to the previous connector.  The release notes do mention that the connector configuration files and libraries are now backed-up during a connector upgrade.  (The wsconfig utility has an -allowedIPList option with a comment that "The allowedIPList property represents an allowed IP address list(separated by comma) that access the restricted list of ColdFusion URLs."  But this feature didn't work when I tried using it, and appears to be outdated per ColdFusion bug CF-4106021.)

Hopefully this update didn't break your environment, but I'm going to talk about why this added security is a good thing and how to get similar protection if you're running an earlier version of ColdFusion.  (But if you're running an EOL version, you really should migrate to a supported CFML platform.)

Enhanced Security for ColdFusion

The latest connectors significantly improve the security of a default ColdFusion environment.

You want to protect and restrict access to CFAdmin -- the web-based interface for configuring and managing your ColdFusion environment -- as part of your security baseline.  CFAdmin components are accessible via /CFIDE/ URI paths and expose lots of functionality; most components require authentication (a local username/password, or LDAP as of ColdFusion 2023) to access, although some are accessible without authentication.

There have been a number of previous vulnerabilities impacting CFAdmin resources, such as CVE-2010-2861 (from APSB10-18), which had a beautifully-creative exploit chain that combined a path traversal Local File Inclusion bug with a Pass-the-Hash attack leading to admin authentication bypass and remote code execution.  But even without any known vulnerabilities, it's advisable to restrict access to CFAdmin.  At a bare minimum, unauthenticated access to CFAdmin could allow for a brute force attack against the login page, and has the potential to be the small gap and first step that lets an attacker more easily bootstrap access via some future vulnerability.  

Security can get tricky when you have multiple, individual components that form a larger system.  In the case of an Internet-facing ColdFusion environment, you may have an edge CDN, a WAF, a load balancer, a public web server, Tomcat, ColdFusion framework code, and ColdFusion application code -- all of which may differ in terms of how they process requests, parse URIs, and enforce any access control rules.  These differences and variations can be subtle and lead to gaps and access control bypasses for resources that you thought were protected and inaccessible.  

What is a ColdFusion Connector?

ColdFusion includes a built-in Tomcat web sever (listening on 8500/TCP by default), but it is uncommon and discouraged to directly expose it to the public Internet.  More often, a Tomcat Connecter or similar component is used with an external web server such as IIS, Apache, or Nginx.  These connectors are based on the open source Apache Tomcat Connectors (mod_jk).

What's Changed in the Latest Connectors?

The new connectors in ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11 perform the following actions:

• normalize the request URI

• block any requests with .. in the URI path (which could be attempts to exploit directory traversal vulnerabilities)

• block any requests in which the normalized URI path starts with a case-insensitive /CFIDE 

Anything blocked by the connector will now return 400 (Bad Request) or 404 (Not Found) and should be logged in mod_jk.log in the specific connector configuration directory.

Recommended Actions

If you don't need remote access to CFAdmin through your connector, the new connectors in these updates provide a great security enhancement.  Additionally, these steps will help protect CFAdmin on (m)any versions of ColdFusion:

• Use WAF rules, URL filters, web sever access control, and other capabilities to restrict access to any URI paths that contain CFIDE.  These rules should perform URI normalization and handle things such as case-insensitivity, URL-encoded values, and other common path obfuscation techniques. (and for Lucee, you should apply the same logic to block URI paths that contain lucee)

• Install the latest ColdFusion security patches after appropriate testing.  You should not expose EOL ColdFusion versions to the Internet.  

• Add specific trusted IP addresses to Security → Allowed IP Addresses in CFAdmin

• Enable the Server Settings → Disable access to internal ColdFusion Java components setting in CFAdmin (this that this should be tested, as some third-party software may require it)

• Block remote/untrusted HTTP/HTTPS access to .cfc files and avoid using remote methods in ColdFusion Components.

And remember, the security controls in the connectors only cover remote access to CFAdmin.  Application vulnerabilities such as Server Side Request Forgery can make it possible to send requests to CFAdmin (and other resources) that come directly from localhost/the local application server.