Adobe Macromedia ColdFusion MX and JRun verbose mode buffer overflow
| coldfusion-jrun-verbose-bo (17485) |  Low Risk |
Description:
Macromedia ColdFusion MX is vulnerable to a denial of service attack, caused by a buffer overflow. When the JRun server connectors are run in 'verbose=true' mode, which is not the default setting, a remote attacker could overflow a buffer and cause a denial of service.
Platforms Affected:
- Macromedia, ColdFusion 6.0
- Macromedia, ColdFusion 6.1
- Macromedia, JRun 3.0
- Macromedia, JRun 3.1
- Macromedia, JRun 4.0
Remedy:
Apply the appropriate update for your system, as listed in Macromedia Security Bulletin MPSB04-09. See References.
Consequences:
Denial of Service
References:
- iDEFENSE Security Advisory 09.29.04, Macromedia JRun 4 mod_jrun Apache Module Buffer Overflow Vulnerability at http://www.idefense.com/application/poi/display?id=145&type=vulnerabilities&flashstatus=true.
- Macromedia Security Bulletin MPSB04-09 , Cumulative Security Patch available for ColdFusion MX at http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html.
- BID-11245: Macromedia JRun Multiple Remote Vulnerabilities
- CVE-2004-0646: Buffer overflow in the WriteToLog function for JRun 3.0 through 4.0 web server connectors, such as (1) mod_jrun and (2) mod_jrun20 for Apache, with verbose logging enabled, allows remote attackers to execute arbitrary code via a long HTTP header Content-Type field or other fields.
- SA12647: ColdFusion MX Sensitive Information Disclosure and Denial of Service
- US-CERT VU#990200: Macromedia JRun Server is vulnerable to buffer overflow
Reported:
Sep 23, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net