BUSINESS OWNERS: Who is responsible for patching your ColdFusion Servers?
This isn't a trick question. Do you know who is responsible for patching your CF servers?
Do you host your own servers? If so, then you have a Systems Administrator that keeps them patched. Right?
Are you using a Hosting Provider? Are they keeping your servers up to date? Are they keeping ColdFusion patched? Or, is that still the responsibility of your IT team? If you are using a hosting provider, make sure to check your service level agreement (SLA) to see whose job it is to keep your servers patched. In many cases (such as having VPS(s) or Co-located servers) the hosting provider may not do any maintenance. To say that it's better to find this out before you sign an SLA is an understatement. Seriously.
If you're running a company and you don't know the answers to these questions, you owe it to yourself (and your investors) to find out - NOW.
ColdFusion servers are under attack. These are not new attacks. They are ongoing attacks against unpatched ColdFusion servers and it's been going on for well over a year. There are patches for ColdFusion 9, 10 and 11, but versions 8 and previous can be vulnerable, and in fact, are vulnerable. If you're running ColdFusion 8 or older then there is a chance that these patches are not installed according to the Adobe Lockdown Guides (CF9 CF10 CF11).
At CF Webtools we've been receiving calls from companies that have had their servers breached; and, while we like the business - $$$ - we'd rather be called before your servers are breached and not after. Patching and securing a server is far easier than trying to repair one that has already been breached. In worst cases, we've had to either replace or reinstall the entire server from scratch.
So back to my opening question... Who is responsible for patching your servers? I'm not trying to scare you or create a panic, but, I am trying to make you AWARE. Servers that get attacked is nothing new – unfortunately, it happens all the time.
But these attacks are something we know about. We know how they're being done, and even more importantly, we know how to prevent them from getting in.
If no one on your IT team is responsible for patching the servers and/or your hosting company isn't patching the servers then, who will? Who will make sure they are secure? We will.
* UPDATE: This article was updated to include information for ColdFusion 11