Is there any hope in a new STIG to support newest ColdFusion

Forum|Forum|2 years ago
April 28, 2023
3 replies
965 views

While its vulnerabilities are still mostly relevant towards newer versions of ColdFusion, DISA has now sunset the Adobe ColdFusion 11 STIG as it has not seen an update since 26 Jul 2021. Is there any hope at all for Adobe to work through the vendor STIG process for the newest iterations of the software?

Reference: https://public.cyber.mil/stigs/downloads/
Reference: https://public.cyber.mil/stigs/vendor-process/

B

bell_the_cat

Inspiring

I have heard (unofficially) that Adobe is currently working on updating ColdFusion STIG and are targeting Q4 2024 for release. No info on which version this will cover, but presumably 2021 and/or 2023.

B

bell_the_cat

Inspiring

This is still unofficial, however my organization received this from our Adobe support contact earlier this year: "We are awaiting review comments from DISA on our final [STIG] submission. Once 2023 is closed, we can look to get one started for 2025. Since there are not too many changes in 2025, that should be straightforward in my opinion."

So it sounds like they're targeting CF 2023 for the next STIG publication. Last update was early-April - team still waiting on DISA review. Hope that helps!

J

Josh28586295ez4u

Participating Frequently

Adobe has a history of responding to security vulnerabilities in their products and releasing updates to address them. It's possible that they will work through the vendor STIG process for their newest iterations of ColdFusion, but this would depend on their internal priorities and resources.

In the meantime, organizations using ColdFusion should continue to follow best practices for securing their systems, including keeping up with security updates and patches, monitoring for potential security threats, and implementing appropriate access controls and other security measures.