Information Week has published an important article entitled ColdFusion Hacks Point To Unpatched Systems. The basic premise is nothing ColdFusion specific; if you deploy public facing servers and then neglect to patch or update them, well, you’re asking for trouble. That said, ColdFusion seems to be particularly vulnerable not because of the software itself, but because ColdFusion servers are often deployed and used by less experienced developers and administrators. (That, and many are considered “legacy” code for “we’ll keep using it but will never actually pay attention to it”).
If you host public facing servers, then you have a responsibility to manage and maintain them. So, two practical suggestions:

  • If you are not using ColdFusion 10, upgrade now! ColdFusion 10 can notify you of available updates, and also simplifies installing them. While I wish ColdFusion would have offered this years ago, it does offer it now, so use it!
  • Sign up with HackMyCF, a monitoring service that will probe your ColdFusion servers and will then send you notifications and alerts. It’s inexpensive, and will more than pay for itself the first time it alerts you to plug a hole.

One thought

  1. I do agree, if your still getting hacked by patched vunerabilities then, it is self inflicted errors. However on the notion to upgrade to CF10 ASAP….
    CF did not help its cause with the license changes of CF10. Many companies are holding out upgrading because CF10 turns their 1 license machine into a 3 license machine. In some cases a 2 license machine into a 7 license machine. I’m aware of several on CF9 and are in stasis until they see if CF11 makes the EULA reasonable again, else they will migrate from the platfrom. Thankfully sounds like the team is looking hard at improving this, so in all fairness it should have read "patch your servers and buy CF11 when it releases". That will make more financial sense to most orgs still on CF9 or earlier.

Leave a Reply