Information Week has published an important article entitled ColdFusion Hacks Point To Unpatched Systems. The basic premise is nothing ColdFusion specific; if you deploy public facing servers and then neglect to patch or update them, well, you’re asking for trouble. That said, ColdFusion seems to be particularly vulnerable not because of the software itself, but because ColdFusion servers are often deployed and used by less experienced developers and administrators. (That, and many are considered “legacy” code for “we’ll keep using it but will never actually pay attention to it”).
If you host public facing servers, then you have a responsibility to manage and maintain them. So, two practical suggestions:
- If you are not using ColdFusion 10, upgrade now! ColdFusion 10 can notify you of available updates, and also simplifies installing them. While I wish ColdFusion would have offered this years ago, it does offer it now, so use it!
- Sign up with HackMyCF, a monitoring service that will probe your ColdFusion servers and will then send you notifications and alerts. It’s inexpensive, and will more than pay for itself the first time it alerts you to plug a hole.