Securing ACF 11 as much as possible?

Report · Nov 03, 2022

Due to many politics and things out of my control here, we will be continuing running a public production CF 11 host with no end date in sight. (which is part of those politics - they actually appear to want it to fail)

Since it is unsupported and will never be updated, I’m just wondering if there are mitigation steps I can take to ensure even known issues are not available to hackers?

Any extraneous services, packages, etc. I can make sure are off/removed, etc.?

Appreciate everyone’s feedback.

Report · Nov 03, 2022

There's so much that could be said (about remaining on CF11), but it's clear your folks won't care to hear about that. First and foremost, please do see the CF lockdown guides (written by Pete Frietag for Adobe). Those have existed for each release for several versions, and they cover the MANY things one should do to ensure a server is secure.

There are too many specifics to list here, ranging from simple tasks to more elaborate ones. Rather than offer even offer just bullet points for them, I'll suggest instead you just check out the table of contents of the document, where the sections listed are links into the document, where there's much more detail on each.

While Adobe no longer plainly offers the version of the document for CF2016 or other releases (that are no longer supported), the document can be found for various older CF versions in various places on the internet, and specifically this PDF of the CF11 Lockdown Guide via the good ol' web archive. (For interested readers, the CF2021 version of the guide is here.)

Beyond securing your server, you can and should also secure your code. For that, Pete (through Adobe) had written the ColdFusion Developer Security Guidelines, last updated in CF11.

There are also tools you can use to help secure things, both your server and your code. I list several of them here: Security Resources for CFML, and almost all those are still valuable for you on CF11.

/Charlie (troubleshooter, carehart.org)

Report · Nov 08, 2022

Thank you both (Charlie and BKBK) so much. Great stuff!

Implementing any of these I hadn't already as I can as quickly as I can.

Report · Nov 06, 2022

@Charlie Arehart 's reply contains practically all the suggestions you will need on:

which extraneous services to disable or remove;
how to optimally secure the ColdFusion 11 server, without compromising the availability of your application.

That is one part of the story. There is another.

History teaches us that some kings still fell, despite having built the most secure, impenetrable fortresses. Their weakness was that they failed to get into the mindset of a possible attacker.

No matter how impenetrable your defences, human ingenuity will always attempt to find a way. So, going forward, you should:

Keep abreast of developments in the culture and world of hackers, of vulnerabilities in general and of ColdFusion vulnerabilities in particular.
Regularly test the defences of your application. For example, get an ethical hacker to have a good poke at your web site. We're at this moment using the services of the bug-bounty platform, Intigriti.