Determining Which Cumulative Hotfixes are Installed on ColdFusion
It's not always obvious which Cumulative hotfixes are installed on a ColdFusion server. I'm pleased to announce that the paid subscriptions for HackMyCF now let you know which cumulative (non security) hotfixes you have installed, and which ones you don't.
As you may know Adobe released Cumulative Hotfix 2 for ColdFusion 9.0.1 on Friday. So here's what a server that is running cumulative hotfix 1 for 9.0.1 but not cumulative hotfix 2 looks like in a HackMyCF subscription:
The current known limitations of this feature are:
- Not enabled for ColdFusion 8.0.0 or below at this time (does work for 8.0.1 however).
- Requires a paid subscription and the probe installed (not possible on free version).
Also announcing the HackMyCF Probe
The probe is a cfm file that you place on your server, subscribers can specify a url to the cfm file for each server in their account. Then when we scan your server we also connect to this probe.cfm, which allows us to get information such as the exact ColdFusion version number (though we can usually determine this with out the probe), the JVM version, which hotfix jar files have been installed, and it also allows us to get a MD5 sum of certain files.
The addition of the probe allows us to find more potential vulnerabilities on your server, for example we can determine if ColdFusion is running as the SYSTEM, we can determine if you are running a version of the JVM that is selectable to a easy to execute denial of service (we could detect this without the probe, but since that would crash your server, we need to use the probe to detect it).
We launched the probe feature in HackMyCF several months ago, however it has been a somewhat soft launch (we haven't been promoting it too much yet). It has been in use now by lots of customers and is pretty solid (we haven't to update the probe.cfm file, even this latest feature uses existing functionality).
Like this? Follow me ↯Tweet Follow @pfreitag
Determining Which Cumulative Hotfixes are Installed on ColdFusion was first published on September 20, 2011.
If you like reading about coldfusion, security, hotfixes, hackmycf, or cumulative then you might also like:
- Fixinator and Foundeo Security Bundle
- New HackMyCF Features
- HackMyCF Updated for APSB11-29 Security Hotfix
- HackMyCF.com Now Detects BlazeDS Vulnerability
- You May Need to Reapply CF Security Hotfix CVE-2009-1877
- ColdFusion Server Security Scanner
- ColdFusion 2020 Developer Week - Securing CF
- CFSummit 2016 Slides
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.