BG - Modern ColdFusion Exploitation and Attack Surface Reduction

hi well uh good evening everyone thanks for sticking around um it is 2024 and this is a talk on Cold Fusion at bsides uh so to to jump right in just a little bit about myself uh I've been doing security work for uh a bunch of years now uh long-term focus on application security for about the past 15 years or so working with product teams to build secure products uh a lot of web app testing a lot of mobile testing uh a little bit of client server a little bit of Hardware a little bit of Legacy stuff and so um early on in my career I spent a lot of time uh working in higher ed after that I was supporting

state and local government for a number of years so uh if anyone in in the audience has worked in those uh Industries uh I know a lot of the challenges I know a lot of the pain points and uh feel free to come chat about uh it after the talk with me too uh more recently most of my experience has been in financial services and uh in uh various tech companies as large as Fortune 10 to uh as small as under 100 people um I Al also say from the outset I am far from a cold fusion expert but it's a technology that I've seen uh pretty much spanning my entire career going back to about 97 or so uh again in

lots of those verticals that I've mentions um even today I I I still see cold fusion applications from from time to time uh and also just to get this out of the way too uh yes I've seen the memes too uh cold fusion has a history uh cold fusion has a reputation it it may not be the the sleekest tech or the newest Tech or the hottest Tech uh it's still around it's still security relevant uh which which is why I'm chatting about it today all right so uh this talk really kind of came about uh from two to three years worth of of cold fusion research that I was doing and during that time there

were a string of uh critical and high impact cold fusion vulnerabilities uh some of which I reported to Adobe some of which other people reported to Adobe and I I kind of took a step back and and thought is there anything that we can learn from these vulnerabilities in terms of how they're being exploited where they live um really just to think about can we we look at uh what's been seen in the past and predict um how might the next one be exploited or where might the next one exist or proactively can we do something to put controls in place and think defensively and and break future exploits before the next vulnerability is is is found um I'll

I'll also want to add uh one motivation for this talk was that it's been about 15 years since the last great cold fusion talk that I saw at a security conference uh that was back or I think uh 2010 uh Chris s and Brandon kraton from veric code uh gave their talk uh deconstructing cold fusion uh slides and video are online that talk goes into uh a lot more about the cold fusion runtime and cold fusion execution uh that I'm going to talk about today so certainly if you're interested in cold fusion and haven't looked up that that talk uh it's it's certainly highly recommended all right so um even today um like I said cold fusion is out there

this is um kind of cliche but this is a Google Google search that I did a couple weeks back Google showed that there were uh more than 64 million uh potential cold fusion Pages out on the internet so it's certainly technology that's still in use uh this is certainly just a a rough back ofand metric it's not perfect it's going to miss things uh there's lots of cold fusion applications that are going to be internal only or Internet applications uh there's ways that you can build cold fusion applications that this kind of search may not pick up on but if nothing else it shows you yes cold fusion is still out there in 2024 uh some more metrics for today uh

cold fusion is is still very heavily used across uh all levels of the government so federal state and local it's out there uh it's also surprisingly still out there in the private sector and and while many sites won't be running their their main dubdub duub on Cold Fusion or or high-profile web properties uh they may have Legacy applications they may have Niche applications uh they may have internal or Internet applications like I mentioned or they may be working with thirdparty providers uh small vendors uh who again are are providing their services uh through uh cold fusion applications either new or or Legacy um cold fusion is also still in scope for the uh Trend Micro Zer day

initiative uh so um in uh 2023 there was one bone reported through zdi and 11 vulnerabilities reported in 2022 uh and also in 2023 uh we saw multiple zero day vulnerabilities in Cold Fusion uh detected and and fixed in the wild and and so those those last two metrics show you you have security researchers today still actively looking at Cold Fusion uh and then you also have attackers who are looking for zero days and exploiting zero days in the Wilds uh looking at Cold Fusion as well uh cold fusion also still continues to make headlines and a lot of times these headlines are going to be security related uh whether it's a recent compromise and old compromise um

vulnerabilities used in ransomware kits and one thing that that's significant was that um even now a lot of cold fusion vulnerabilities seem to have very long tails so vulnerabilities that are decades old may still exist on the internet today and lead to compromises lead to ransoms and lead to to either high impact or high-profile breaches okay so um I mentioned a couple of cold fusion zero days in in 2023 uh March of uh 23 was was busy um this particular Adobe security bulleon had uh two zero days uh that were both patched uh one was a local file include uh that was actually um pretty involved and involved um sending in some some code that was written to an error file that

was then uh read back and could lead to uh remote code execution uh and then also at the same time uh there was a uh Java deserialization flaw that could lead to uh remote Cod execution as well uh this was initially patched in March and then subsequently there were uh multiple variants that were found uh basically bypasses of the patch and then future bypasses of of later patches uh and I'll I'll be going to some more detail about some of these um but before I talk about the vulnerabilities just want to really touch on Cold Fusion history in case folks may not be familiar uh it's a web development language initially released by aair back in

1995 uh it was Rewritten in Java uh initially it was C and C++ uh Rewritten in Java Java in 2002 with the release of cold fusion 6 uh and then acquired by Adobe in 2005 um besides the commercial Adobe cold fusion uh there are alternate uh cfml uh engines um So currently today there's the the actively maintained Lucy open source engine uh and then historically uh there's been uh Rao uh open BD uh which are are two open source projects no no longer actively maintained uh and then also blue dragon which was a a former uh commercial uh Cold Fusion engine as well okay so uh to look at the the tech overview quick uh cold fusion code can

be written in two different ways um one is the the Legacy tag based which looks almost like HTML except it's it's run and evaluated server side uh and then also the the more modern CF scripts that'll look like uh any script based language so your your JavaScript or or anything else um cold fusion as a language also has had a lot of backwards compatibility which is great in terms of of uh letting applications continue to run um but from a security standpoint there's never been that that big uplift from let's say like a a classic ASP to an asp.net where there were lots of security guard rails lots of braking changes and and basically today you can have the the

latest fully patched cold fusion environment but your old vulnerable custom code from 20 years ago can still run in that environment so your your your platform may be secure but your code can still be insecure um and so just to to to kind of take a look at those those two uh two Styles uh we can see some some tag based and some script based these basically just just print hello and so uh when this is actually compiled this is compiled into to Java B code uh when we look at uh a class file that's compiled we we can uh let's say just do a hex stump and CS this is actually a a Java class file and then

being Java means that uh it's going to be pretty easily uh to uh decompile so we can go from cfml to compile Java back to some approximation of of what the original native Java uh might look like okay so let's let's uh shift gears a little bit and talk about attack surface so when when we're talking about attack surface we meain uh all the inputs all the areas that uh an attacker may use uh to either access or or exploit a system and and when we're looking to reduce our attack surface we can do things we can Harden the system we can uh make sure we have good Access Control uh we can turn off unnecessary

stuff and and really just kind of build Security in think about what can we do to either uh break attacks break known exploits break uh exploit patterns and and things like that okay uh in terms of what we're going to talk about today there's there's three main categories uh first one is going to be uh admin interfaces uh the second one is going to be uh remote cold fusion methods uh and then finally a little bit about serers side request forgery and and so with that said there's going to be a lot of attack surface that's going to be out of scope for today um like any other web language uh web application security vulnerabilities can apply to Cold Fusion

so your custom code you need to worry about things like the oos typ 10 crushit scripting SQL injection loog logic flaws basically anything regardless of of whatever language your framework you're using uh it would apply to Cold Fusion as well um also not going to talk about every single cold fusion vulnerability I'm going to use a couple of examples but certainly uh there's a long history and uh uh lots more uh vulnerability data that that I'm I'm not going to go into great detail about um I'm also primarily focused on things that would be vulnerable or exploitable with a default install and something that an external attacker would be able to exploit so things like uh internal

services or uh services or configurations that may be turned off by default um are going to be out of scope and then certainly when when you look at a whole application environment you're going to have a lot more than just your custom code and your application engine so um the full attack surface would be platform vulnerabilities Network vulnerabilities and uh database and and basically kind of everything that that that makes your application go we're we're pretty much just narrowly focused on uh Cold Fusion engine issues okay so let's let's dive in uh admin interfaces too so uh cold fusion administrator just like any admin interface is is going to be sensitive uh so whether it's a web interface whether

it's a a piece of Hardware you want to protect access to it because it can lead to uh sensitive functionality if if an attacker was able to to gain um unauthorized access uh so for cold fusion CF admin is a a web interface uh used to uh manage the environment besides the web interface there's also an admin API uh with a number of uh endpoints um CF admin comes with a lot of of built-in and and Native codes so if you do a a standard install you're going to get CF admin you're going to get uh a lot of stock Cod code so um since CF admin has had a a history of vulnerabilities your custom code can be

perfect and vulnerability free but that that default image may come with uh built-in vulnerabilities or or risks that that you're you're you're going to want to keep in Minds uh and then finally like like I said admin interfaces being uh sensitive you are um going to want to protect them because if they get compromised an attacker can bootstrap access uh they can Elevate their privileges they may be able to to live off the land pivot or or do more things from that uh privileged Vantage Point uh when we talk about CF admin uh typically it's going to be accessible via URLs uh that start with cfid administrator or cfid uh admin API and then just kind of

bottom line uh it's it's something that you're going to want to access uh restrict okay so if folks have done cold fusion pen tests in the past or looked at Cold Fusion uh this may look familiar uh this is what the the login page of CF admin is is going to look like and so um often times if you can get here that means you're going to have accessible vulnerabilities if nothing else you can try and brot force usernames and passwords which which may get you in um but beyond that being able to see this page means you're going to be able to interact with API endpoints and components and and things that that again uh may be useful in in a a high

impact exploit chain okay so let's uh talk a little bit about how cold fusion May typically be be set up um this is definitely one of the more common deployments but not the only way to deploy it uh cold Fus usion being a huge uh Java application could be deployed uh basically any way that you're you're going to deploy Java servlets but a lot of times you're going to have an external web server uh connected to cold Vision via a connector so something like an i is sappy filter or a tomcat connector um and so that on the backend will talk to an an internal uh cold fusion server that will typically run on for 8500 uh that

usually isn't exposed to the internet shouldn't be exposed to the internet uh short and prove me right or or prove me wrong um but typically when you're interacting with a a cold fusion environment you're going to be talking to the external web server and that connector is going to be configured to um basically pass some requests onto the cold fusion environment and handle some requests locally so if you request an image your external web servers going to handle that if you request cold fusion code the cold fusion server is going to get that through the connector and uh those pieces are are are going to be uh accessed uh beyond that you can also configure uh trusted IP addresses and

there's uh some built-in functions that that will basically do access control checks um for those trusted IP addresses um and from like a a typical point of view between the connector configuration ations and between those those IP address restrictions this is how it's supposed to work so if you're on the outside and you request uh cold fusion administrator uh you're going to get some kind of error so it's either going to be not found it's going to be forbidden or just somehow isn't going to be accessible um in reality it's typically going to look more like something like this so uh there have been a history of bypasses there have been a history history of ways again

access control is is is really really tough to get right 100% of the time uh CF admin is is no different and often um being able to access vulnerable components or uh vulnerable functionality starts with something as simple as an Access Control Bypass okay so looking at some potential uh Access Control bypasses uh these have all been fixed at this point um but uh recently so like on on a Windows environment just being able to to suffix your cfid path with a a trailing dot uh on Windows would would bypass a lot of the built-in access control but because of how an external web server and the connector and the cold fusion server would process that um that would be a

way to to to bypass some of that initial access control and so while you still wouldn't be authenticated you from the internet might be able to to get in in um and then from here uh you can uh modify that different ways so things like mix case and and other variations there um and then finally so the the the top ones are all mine and and things that I'd reported and and have gotten fixed um these are all fixed as of a a fairly recent cold fusion update uh and then the the bottom one again we we we can see uh a directory traversal uh pattern

okay um which uh was reported by Steven fer of Rapid 7 uh and then fixed uh back in uh 2023 all right so when when we think about uh Access Control defensively um here we need to do much more than just patch uh a lot of times to lock down an environment you're going to need to uh update your cold fusion components update your connectors um access control again can be really really tricky to to to get right um and so you also want to add trusted IP addresses into uh cold fusion administrator uh if you're looking at this offensively think about all the ways that you commonly bypass uh access control or a Waf rule

so URL ication and uh URL modification simple modifications can often bypass uh Access Control that that may be out there uh and then like like I said a lot of times a successful exploit chain starts with a fairly simple uh Access Control Bypass okay uh moving on to remote cold fusion components uh cold fusion components are uh files with a CFC extension that contain cold fusion data and functions um similar to to Java methods uh cold fusion functions are going to have an access contribute attribute that control how that can be accessed so uh you can set them up so that only other CT Fusion uh uh code can can call your functions but you can also build remote functions

which are almost like simple API endpoints that can be called via a URL request um and so um one important thing to note is that there's different code paths for how uh CFM so your standard cold fusion files get uh processed and how your your cold fusion components get processed if they're called via a URL uh different servlets and the the serlet that processes uh cold fusion components uh is a little more complicated and and has had a history of of exploitable vulnerabilities just in terms of of what that code path looks like versus if if you're calling uh static cold fusion files um and like I said there's there's a lot of uh cold fusion components

included with a uh default Cold Fusion install in CF admin and in uh other places uh we look at what one of these might look like in uh either uh tag-based syntax or script based syntax so we have a simple function it takes two arguments concatenates them together and returns that value um we can access it via a URL where we're giving it the the function name the the method name and then our arguments and it it returns our value um but beyond doing it this way um we can also pass in all of our arguments at once in a a parameter called argument collection and and so that can get passed in either as a Json

object or a a wddx uh packet which is just um uh an XML like data structure and and so going back to other example instead of passing all our arguments in individually here we can see we're passing them in either as Json or as uh wddx and again same same output same same functionality uh and then just processed by those those backing components the downside though is that remote cfc's can lead to to some dangerous places so looking at past vulnerabilities it's led to uh XML external enties attack it's led to Java serialization attacks uh and it's also led to to mass assignments and so we're we're going to dive into some of these but really the biggest takeaway is that

defensively if if you're not actively using remote components um you may want to just block access block remote access to to CFC files because that'll take a whole class of of vulnerabilities uh off the table for for for your environment and may protect you for uh uh a future vulnerability that that isn't known isn't patched yet uh but you'll you'll proactively have some level of of Defense uh and then to flip the table on the offensive side A lot of times if you're going to exploit one of these vulnerabilities all you need to do is find one single uh CFC file it it doesn't even in a lot of cases need to have a specific vulnerability it just

needs to be any uh CFC file with a a remote function in it uh but looking at some of these examples so this is going back a little uh historically um but it's it's something that was never written up and when I was looking at at some cold fusion internals um I found it long after it had been patched so it was patched back in 2017 um but I I saw in the code what looked like an xxc uh prevention method and so that got me thinking hm I wonder when that went in and was was this code path vulnerable before it was patched it it turned out it was and uh from an exploitable standpoint all you needed to

do was be able to call any CFC file um it didn't even have to have uh cold fusion code in it so a blank file with a CFC extension called via a URL would be enough to trigger this xxc vulnerability um which which was interesting because it it kind of raises interesting attack chains where even if there's not vulnerable code if I can create a file on a server I might be able to create this this vulnerable condition um and when when we look at at what the attack would would potentially look like again a pretty classic xxe attack where within that that XML like uh wddx packet we're we're passing in a classic uh xxe payload uh that gets gets

processed and and so I thought well hm I I wonder like had this been um uh either talked about or or or written up in in in detail initially like what it have preemptively made people think well H there's there's a large attack surface on remote cold fusion components and and maybe blocking access to to CFC files is is a good proactive security step if if you're not actively using them um moving on to Java serialization vulnerabilities so uh these aren't unique to to Cold Fusion and and deserialization flaws in general aren't even unique to Java um but it occurs when uh an application is going to deserialize untrusted data uh it can lead to remote code execution and uh

historically cold fusion like lots of other Java applications has had a history of these and so um this was one of the the initial zero days that I talked about this was uh one example that was uh initially found uh and and patched in March of 2023 as uh uh deserialization zero day um and overtime was patched bypasses were found patched again more bypasses were were found and this this is definitely through no fault of of adobe root cause analysis is tough uh vulnerability patching is is tough too in terms of getting it right and and not breaking your environment but still providing adequate protection but kind of there there there were a series of these and that that that

middle part where it was patch patch patch that that was one of those those initial kickoff points where I thought proactively are there things that we can learn about how these vulnerabilities get exploited or where they live where we can either predict where the next one might be or put controls in place and and so when when we look at what exploit a looks like for these vulnerabilities this this was the first one and and so again kind of similar to our our xxe vulnerability um instead of passing in uh xxc payloads uh we're passing in a deserialization payload but again similarly we just need to be able to access any remote CFC method uh we pass

in our serialized uh payload and a uh wddx packet through our argument collection variable uh so this was March uh four months later uh another variant was was patched and between exploitation of the first one to the second one uh it was just a matter of of using a different uh uh Java class as uh the payload within the the serialization uh object um after that there was another bypass uh and this this primarily this this again same kind of thing uh find another uh uh class that were able to to pass the payload uh after this one there was another variant where um the the way that that uh the payloads were were being validated uh that block list was

able to be bypassed but through all these variants it had the commonality of I'm interacting with a cold fusion component with a remote method and passing in some kind of data through through argument collection uh and then finally um for 4 months after the the the last one was was patched yet another bypass was found and again um it was just a matter of of finding more uh uh Java classes that could be used for the the serialized payload um but across all these vulnerabilities there was a lot of commonality uh where I thought if you're able to to block CFC files for example proactively or block request that had uh the argument collection proactively if

you're not actively using that that would have blocked uh the vulnerability plus one or plus two or plus three all right so uh again to to recap in all those examples we saw that exploitable functionality would be uh reached just through any remote CFC method uh similar to other vulnerabilities that we saw uh there was a lot of uh overlap and and so again a a defensive approach like blocking these uh would have prevented uh future exploitation of vulnerabilities before they were disclosed before they were patched and and uh would be something for environments to to give themselves a little bit of of Extra Protection all uh moving on to the the third category for uh vulnerabilities

we're talking about cold fusion components uh Mass assignment so Mass assignment is going to occur when an attacker is able to uh control values or objects they they shouldn't be able to control uh so uh if you think about it if this is a variable or an object that is security relevant or used in a sensitive uh operation it it may be the the kind of thing that an attacker can break program flow or break assumptions if they're able to control sensitive data um Mass assignment is not unique to to Cold Fusion uh there have been Mass assignment vulnerabilities in Ruby in ASP uh in node and and other languages as well um but this particular cold

fusion vulnerability vulnerability was fixed uh last November uh for the most part there's there's some small edge cases that I'll talk about um but before I talk about the the mass assignment vulnerability I want to talk a little bit about cold fusion variables and variable scops so cold fusion stores its variables um in in Scopes which is basically just the context that they exist and so um there's a bunch of predefined uh built-in Scopes in Cold Fusion so your application scope contains a bunch of variables about your application your your session scope uh may contain variables about a logged in user or basically anything about the the user's session State uh you have variable Scopes like URL and form that contain uh

all of your url parameters or all of your form data um and beyond that beyond the the built-in Scopes you can create custom Scopes as well so um uh custom code can can create Scopes and store variables in there um by Design it's it's well known that the user can control a lot of these Scopes things like the URL scope and the form scope are are documented sources of of untrusted input so uh before you use them uh developers know you need to check these and and these are unsafe these are tainted um but Mass assignment would give an attacker uh control over any scope even the ones that they they shouldn't be able to directly

control okay so let's let's look at our our example uh for uh a possible Mass assignment vulnerability and so again uh we have a a remote cesan component and in here we're doing some kind of security check based on uh one of our variables in a protected scope so and in this case we're checking to see what is the application environment if it's production we're going to do something else if it's Dev maybe we'll we'll we'll take a different path so we'll we'll show debug output or something else will happen um and so the the mass assignment vulnerability here was that in our argument collection we could pass uh any scope and any value uh and then control

uh that particular variable uh there were some limitations it it only applied to code within uh remote remote cold fusion functions uh so uh if you were uh using this kind of logic elsewhere in in static cfml Pages uh or outside of remote components uh it wouldn't be exploitable um but for again for your your API like remote cold fusion components um this Mass assignment vulnerability would be exploitable uh the Adobe patch uh protects all of the built-in Scopes so things like your session scope and your application scope or all protected um but if you do have code like this where you're using custom Scopes uh in remote code Fusion components uh an attacker could still

potentially control those and in in that case you're you're going to want to validate what's coming in through uh the parameters and arguments and uh make sure that uh an attacker uh isn't able to to control them uh again you takeaways here uh pretty pretty similar uh uh if we can avoid remote cold fusion components that's going to give us a lot of uh protection right off the bat and from an exploitation standpoint a lot of times you just need access to to one single CFC file to carry out a lot of these attacks um finally the the last uh attack surface category I want to talk about is uh servici side request forgery so again common web application flaw uh

lets an attacker make uh rub requests from the context of the web application environment basically turns the application server into uh the detector's web browser and uh it's caused by failing to to validate input that flows into uh vulnerable functions or or functions that are making outbound web requests or outbound uh Network requests and so as it relates to Cold Fusion uh a while back I was looking at some cold fusion documentation and for for particular function it caught my eye that uh a parameter that that a lot of functions could take could be either a file so a file path or a file object or a a URL and and so for for something

like this for this kind of function there was no uh uh switch there was no no check to see am I consuming a file object or am I consuming a file path and so um this made me think could be a common Pitfall for developers if they're calling one of these functions that do take uh file paths and file objects uh they they may set themselves up um and so for for this example here if we pass in a URL uh in our file parameter instead of a file object that function is going to go out and and fetch that URL um and so the the root cause here is that a lot of these functions use um the

Apache virtual file system uh to consume and process their their arguments um and there's there's lots of cold fusion tags and lots of cold fusion functions that that work this way and compared to some other languages so like PHP I know has a an allow URL F open parameter that lets uh developers globally turn this kind of functionality off and on uh cold fusion at least uh as of the time that that I reported this didn't really have an an easy way uh there was uh some some ually intensive ways we could uh unzip a draw file and modify an XML file and kind of put it all back together and and and hope that it would work but there was no

like easy toggle switch to to turn this functionality off or on um and and so when when I found the first example of this I I went through and wrote a bunch of fuzzing test cases for a bunch of tags and a bunch of functions uh pass in URS listens for call backs and and identified a bunch of tags and a bunch of functions uh that could be potentially vulnerable here um I will call out that some of these are marked with an asterisk uh those are tags or functions that are only vulnerable uh in the open- source uh Lucy cfml engine and not Adobe cold fusion uh but there is some overlap between the two in terms of

of tags and functions that are uh vulnerable uh and then I have more detail and and full list and and uh uh additional information at the uh URL there uh and so again uh the takeaway here is that um these tags and functions specifically should make sure that there there's something that during your code review process or your uh uh uh static analysis you're you're looking for these you're checking for these you're saying is Tainted data flowing into them um and then beyond that from a a proactive way uh Network e filtering can be a huge help here because if you had exploitable code but the attacker isn't able to call back call out uh you may uh detect or

prevent or uh otherwise become aware of of that vulnerability before any damage is done uh on the offensive side uh it's really no different than any other kind of C uh server side request fory scanning so you use something like burp uh collaborator throw out a bunch of URLs and uh parameters listen for callbacks and whether it's cold fusion whether it's it's because of these tags are functions or whether it's something else you'll you'll find your uh server side request for for Dee vulnerabilities that way and then from there take that simple callback into something more uh high impact uh so yeah as as we kind of wrap it up um these vulnerabilities a lot of times can can fit together and

Can chant together into high impact uh vulnerabilities so we may be able to take a server side request for vulnerability use it to access uh cold fusion administrator uh and then do something bad from there or we may find one of these cold fusion administrator Access Control Bypass vulnerabilities and then Shain that with a way to reach and then exploit um one of those more serious uh critical uh vulnerabilities that relied on remote cfc's and and remote uh methods uh if you're in a position where you need to protect cold fusion uh just a a couple of Handy things to do uh patch is probably the most important uh having looked at a lot of cold fusion

systems it's very very hard to fully secure them if they're not up to dat um uh cold fusion has a lock down tool and lock down settings that will do uh a lot of hardening right off the bat highly recommended uh cold fusion has a a Sandbox tool that is built on the Java security sandbox and can do things like uh restrict network access restrict file access uh enable and disable specific tags and functions uh it can certainly lock things down too um and again we've we we've talked about access control we've talked about uh WF rules uh and and things like that uh and then finally kind of sometimes if if uh everything else fails uh endpoint detection host

detection may also give you some level of of alerting uh if something is actually uh compromised uh either as a secondary or tertiary uh indicator before things get even worse um a couple of final closing thoughts uh I also want to add that as a researcher Adobe has been a great company to to uh report things to they've been easy to work with they've been timely um so highly recommended there um I'll also say that that more recently coal Fusion of the the recent security updates have included breaking changes in the name of security uh so uh there have been things like uh changing some some defaults uh default parameters uh default encryption algorithms uh turning off uh uh support

for how some variable resolution work that are definitely going to break Legacy applications but make the the cold fusion environment uh much more secure from uh from kind of square one uh so that that's that's definitely a positive sign uh and then also cold fusion or I'm sorry Adobe recently uh transformed their vulnerability disclosure program uh for cold fusion and a bunch of other products into a paid bug Bounty uh so again kudos to uh Adobe for continuing to to support and facilitate uh security research uh that is what I have uh here's my contact information feel afraid to hit me up after the talk talk and uh thank you very much I think we

have uh 2 minutes so I'm happy to take questions and otherwise uh enjoy what's left of bides [Applause]