Properly locking down ColdFusion instances is a critical responsibility for your IT organization. Security recommendations related to ColdFusion installation and configuration have been expertly covered in several resources, which we will provide links to here.
Since version 10, ColdFusion can be deployed using a secure profile. This feature is intended only for production installations. Servers deployed using secure profile are automatically configured with secure ColdFusion Administrator settings, IP access restrictions, directory security, and a suite of other steps designed to improve the default security posture of a ColdFusion installation. It is a good first step to locking down a production ColdFusion server.
Tip: Secure Profile is only intended for production servers, as the restrictions it imposes are unnecessary for a private development server. However, we recommend that you thoroughly review the settings that Secure Profile imposes on your server. If your application relies on certain services to be available, you may not discover an issue until your code is deployed to your production environment. It is generally recommended to keep development and production server configurations as similar as possible to avoid compatibility issues.
Adobe publishes instructions for hardening a ColdFusion installation for recent versions of the platform. It provides step by step instructions to enable only necessary services and ensure a hardened installation of ColdFusion. We recommend reading through the entire guide first before making any changes on your server. Understand your own unique security challenges first before making changes.
Server Auto-Lockdown (ColdFusion 2018)
Introduced in the 2018 release, Server Auto-Lockdown applies best practices from the lockdown guide to help administrators secure their installations. The process performs all 50+ steps from the lockdown guide automatically and includes rollback support. You can find the installer here.
Updates and security patches are routinely released for supported ColdFusion versions. It is imperative that you keep your installations updated with the latest patches. Since version 10, ColdFusion ships with a server update feature that makes updating a one-click process. When a new update is available, ColdFusion will display a notification in the Administrator header. You can also check the ColdFusion blog for announcements of new patches.
In addition to patching, Adobe regularly releases new versions of the server platform. It is important to understand that Adobe sunsets support on older versions. If you are running an unsupported version of ColdFusion, you are at significant risk. Adobe does not release patches for unsupported versions. If a security vulnerability is discovered, you may have no means of mitigating it. Therefore, it is vital that you keep your server up to date with the latest version of ColdFusion. Adobe offers support for ColdFusion per the following matrix.
|Version||General availability||End of core support||End of extended support|
Routinely scanning your server for vulnerabilities is a proactive measure you can take to identify weaknesses before they are exploited. One such service we have used successfully is HackMyCF by Foundeo. This service will perform a limited external penetration test to find a series of known ColdFusion configuration issues. Site administrators are notified by email when issues are discovered. We recommend this service.
ColdFusion is only one attack surface in your infrastructure. It is necessary to also surface potential issues throughout the rest of your stack. For more thorough penetration testing to include the network tier, web server, and more, please contact Convective.
One of the most important recommendations we make to clients regarding security revolves around database queries. Restricting what operations your database will execute and what parameters it will accept are critical to reducing risk.
First, head over to the Datasource Settings in the ColdFusion Administrator. Under the Advanced settings for your data source, verify that only required operations ( SELECT, INSERT, UPDATE, etc) are enabled. For example, if you do not require DROP operations in your application, disable that capability here. This reduces the potential data altering operations that can be performed against your database.
SQL injection attacks are another vulnerabilty for data driven applications. This involves an attacker passing a malformed string to your ColdFusion server via a request. This request can give an attacker access to run arbitrary SQL against your database. This attack is not specific to ColdFusion servers, but ColdFusion does provide a simple mechanism to mitigate it. Developers writing SQL must be cognizant of the <cfqueryparam> tag available in ColdFusion. By wrapping EVERY parameter passed within a <cfquery> tag (parameterizing), three important goals can be achieved.
- Parameterized SQL does not suffer from the SQL injection vulnerability. Malicious SQL cannot be executed from within a properly parameterized value.
- SQL parameters must adhere to a specific type. This enforces business logic and the type safety of your data.
- Parameterization improves the databases ability to cache query plans, which can lead to performance gains on the database.
We strongly recommend parameterizing all SQL statements with the <cfqueryparam> tag.