Tuesday, May 14, 2013

Critical update for ColdFusion 10 and earlier released : May 2013


A security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2. This hot-fix addresses issues reported in Advisory 13-03
If you are on ColdFusion 10, you will see a new update 10 within the ColdFusion administrator for you to download and install. Adobe recommends users update their product installation with this update. Here's a link to the related security bulletin.
As an additional precaution, we recommend commenting RDS servlet in web.xml
It highly recommended that all public facing servers are locked down properly to prevent against unknown attacks.Recently we have seen increased number of attacks on Administrator or RDS functionality of ColdFusion. These are internal components and are meant to be kept blocked for any external access. A lot of attacks will be prevented and will fail if the servers are properly locked down. Complete instructions for protecting server can be found accessed here. ColdFusion 10 Lockdown GuideColdFusion 9 Lockdown Guide
ColdFusion has added a lot of new functionality to secure applications and has improved security in general, due caution is warranted to secure the server installation and internal applications to prevent security attacks.