Tuesday, March 5, 2024

One Reason Why Your ColdFusion Server May Still Be Vulnerable Even With the Latest Security Updates Installed

Next Tuesday is Adobe Patch Tuesday.  Will there be new ColdFusion security updates?  I have no idea.  But even if there are no new patches released, and your ColdFusion servers already have the latest updates installed, you may still be missing an important step in keeping them secure.

I'm talking about Connectors.

Now I'm sure you're all reading, re-reading, refreshing, and diffing ColdFusion technical documentation constantly.  On the daily.  Who knows when sections might be revised, tidbits added, and what new secrets they contain.  (Legend has it that JJ Allaire hid clues throughout the ColdFusion documentation to the location of a king's ransom in gold buried somewhere deep within the foothills of the Sierra Nevada mountains.)  But in case you missed it, last month Adobe updated several ColdFusion Update pages with an alert to "Check if you need to create and configure connectors after installing the update."  For example, from the updated page for ColdFusion 2023 Update 6:


Since ColdFusion patches are cumulative, it's possible that some folks have jumped in at an Update point where a connector re-creation wasn't explicitly required.  Or the requirement for a connector re-create was overlooked or unclear.  Installing an update does not automatically update the connector, so connectors will always have to be created and re-created manually when needed.

The connectors released with ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11 contain important security updates to protect access to CFAdmin.  Be advised that these new connectors will block all CFAdmin traffic through the connector -- which is great for security if your server on the public Internet (but could cause issues if that is an unexpected change).  I wrote about that back in October.  Go read that article for more information about the updated connectors and some other recommended server security settings.  And the next time you install updates (or even better, now!), check to see if you should re-create your connectors too.

No comments:

Post a Comment