Is your Adobe Coldfusion server running an old version of CF?
20/11/2015
Is your Adobe Coldfusion server running an old version of CF - beware of the security implications as Adobe are no longer supporting ColdFusion 9
Paul Lawrie, Director
Share article
Created and maintained by Adobe, ColdFusion is a popular programming language used in the development of websites and web applications. All programming languages, particularly when it comes to web applications, have their own strengths, vulnerabilities, and quirks. ColdFusion is no exception, and the language has recently undergone some major changes in infrastructure.
With the introduction of CF11, some vulnerabilities from prior versions were overhauled with an array of new, up-to-date, security features. Many websites, however are still running on older, outdated versions of the ColdFusion Server (CF9 and below). Failing to update leaves these sites dangerously vulnerable to the very attacks that ColdFusion11 was engineered to prevent.
Today, cyber crime is more prevalent than ever before, and using outdated software is an open invitation for hackers to exploit vulnerabilities, steal data, and harm businesses. Here at mso, we offer professional consulting and technical services to help clients running on older versions of ColdFusion to get up to speed with the latest and most secure iteration of the platform. We make the process of migrating to CF11 simple, seamless, and secure, ensuring that old vulnerabilities are patched, performance is optimised and sensitive data is locked down and protected.
Versions CF9 and below are particularly at risk for login bypass exploits and susceptible to numerous file disclosure issues. Simply put, these vulnerabilities allow hackers to use relatively simple techniques to obtain sensitive information which includes, password hashes. Throughout 2013 in particular, several high profile data breaches occurred in which hackers exploited security vulnerabilities in older versions of the ColdFusion software. Credit card information and other sensitive data and personal information was obtained from large companies, including USA’s Smucker’s and SecurePay.
Where CF9 and earlier fall short, CF11 picks ups the slack. Adobe has gone above and beyond simply patching security holes. It has updated the language to meet the demands of modern cyber security. With CF11, Adobe has given the server a major overhaul, making ColdFusion a formidable development environment when it comes to contemporary web security standards.
Perhaps due to the scope of the jump between CF9 and CF11, there is very little ongoing support for CF9 and below. In fact, in December of 2014, Adobe stopped issuing security updates for CF9 and below, furthering the impetus for sites running on outdated versions of the platform to update to the current version of CF11.
Some of the most significant improvements on offer from CF11 comes in the form of new cryptographic enhancements to existing APIs; extended Secure Profile controls (originally introduced in CF10) and a new set of OWASP tools for vulnerability scanning integrated directly into the platform.
One important new CFML feature is the AntiSamy API which checks user generated content, such as comments and profile information, for malicious code. Web applications running older versions of Cold Fusion are, unfortunately, much more vulnerable in this respect with virtually no sophisticated safeguard in place for attacks of this nature.
Secure Profile (a feature that was introduced in ColdFusion 10) adds an additional layer of security for site administrators. In CF11, site admins have significantly more control over the Secure Profile protocols than with the initial release in CF10. For example, using CF11, a site admin could use this feature to deny access to a particular range of IP addresses, thus thwarting certain kinds of malicious attacks. In addition, CF11 has a built-in mechanism for preventing external access to Administrator and its components as well as providing the option as to whether or not to allow concurrent logins for specified users.
There are several more important security enhancements in ColdFusion 11 that are related to the use of data encryption, a practice which is rapidly becoming an industry standard across development platforms. Support for PBKDF2, a function that allows developers to generate encryption keys from passwords, is one example of how improved encryption technology factors into CF11. Additionally, with the cfmail feature that is built into the ColdFusion platform, CF11 is now able to send S/MIME encrypted emails. E-mail encryption is rapidly becoming an essential aspect of online security. Unlike with previous versions of ColdFusion, CF11 now allows developers to enable SSL for the WebSockets proxy, adding yet another robust layer of security.
Here at mso, security is our priority. Our professional consulting services and top-tier technical support can ensure that your website is up-to-date with current security practices. We can assist with migrating sites from older versions of ColdFusion to the new, secure CF11 platform. From deploying in a test environment to troubleshooting and to going live, mso makes the process seamless and secure.
Whilst migrating from an older version of ColdFusion to CF11 is relatively simple in theory, we always recommend doing the initial upgrade in a test environment. CF11 is technically backwards compatible with previous versions, but upgrades are not always flawless out-of-the-box. We ensure the transition goes smoothly, assist with any troubleshooting that may arise, set up your encrypted e-mail, and adjust the Admin configurations to maximize site security and performance.
If you’ve read thus far and you need some advice, please get in touch by emailing our experts at [email protected] or calling 01474 704 400.
If you liked reading this article you may also like: