Copy link to clipboard
Copied
While its vulnerabilities are still mostly relevant towards newer versions of ColdFusion, DISA has now sunset the Adobe ColdFusion 11 STIG as it has not seen an update since 26 Jul 2021. Is there any hope at all for Adobe to work through the vendor STIG process for the newest iterations of the software?
Reference: https://public.cyber.mil/stigs/downloads/
Reference: https://public.cyber.mil/stigs/vendor-process/
Copy link to clipboard
Copied
You are asking about Adobe working through the vendor STIG process for the newest iterations of which ColdFusion version?
Copy link to clipboard
Copied
Indeed, and I will add that I'd brought this to Adobe's attention directly the other day, and asked them to please offer some answer here.
Copy link to clipboard
Copied
@BKBK , I apologize for the great delay. I forgot that I put this out there. Yes, I am asking if Adobe has plans to go through the vendor STIG process for newer iterations of ColdFusion.
Copy link to clipboard
Copied
I have no idea. But I would guess not. It's a lot of work! Adobe ColdFusion contains a bunch of bundled products that Adobe doesn't completely control: a modified version of Apache Tomcat, a modified version of Apache Solr, DataDirect JDBC drivers, a bunch of JARs, a server JVM, and so on. So why should they go through that if they don't have to? My guess was that they did it back for CF 10 or whatever and decided there wasn't any benefit for them.
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
Adobe has a history of responding to security vulnerabilities in their products and releasing updates to address them. It's possible that they will work through the vendor STIG process for their newest iterations of ColdFusion, but this would depend on their internal priorities and resources.
In the meantime, organizations using ColdFusion should continue to follow best practices for securing their systems, including keeping up with security updates and patches, monitoring for potential security threats, and implementing appropriate access controls and other security measures.
Copy link to clipboard
Copied
I have heard (unofficially) that Adobe is currently working on updating ColdFusion STIG and are targeting Q4 2024 for release. No info on which version this will cover, but presumably 2021 and/or 2023.