The “Core Support” for ColdFusion 10 ends on May 16, 2017. That means, no more Security patches/updates by Adobe for this version of ColdFusion after mid of May 2017. The detailed timelines are mentioned here in the EOL Matrix.
What is Core Support then? Core support is the time frame wherein the product and the support programs are available. This provides, five years of product support from the general availability date of a product.
General availability is the date when the product and the support programs are announced and available for purchase.
Extended support provides an additional two years of Platinum Maintenance and Support services after the end of Core Support. Extended Maintenance and Support provides the extra time you may need, to plan your migration to Adobe’s latest technology. Here is the source.
So, if you are on version 10 or prior then, its the correct time for you to upgrade. This will ensure your eligibility of getting Security updates and patches timely from Adobe, for the supported versions of ColdFusion, as and when released.
We understand that your sever might have been compromised. It’s a situation critical and there are some preventive measures, which should be taken. First of all scan your site at http://hackmycf.com/. If the scan report shows any vulnerability, then contact Adobe Product Security Incident Response Team at PSIRT(at)adobe(dot)com with the scan results.
What you can try at your end
There are few sanity checks, which may help you. Not to fix your application against the vulnerability, however, to identify whether the server is compromised or not.
You can try the following:-
- Check the application.cfm and remove any unwanted code added by this attack.
- Check if there are any unwanted files in your web root or in /CFIDE directory and remove them if present. This means that if there are h.cfm or i.cfm or any other unwanted files present, please remove them immediately.
- Also see if there is any unwanted modification to any of your files. You should be able to find that by looking at the timestamp of the files and remove the unwanted code added by this attack.
- Check if there is any unwanted scheduled task created in the administrator. If there is any, please remove that immediately.
- Once done with the above steps, please go through the latest Security bulletin http://helpx.adobe.com/security.html#coldfusion.
Adobe recommends, ColdFusion customers should update their installation using the instructions provided in the technote (as on today) http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-27.html.
It is also recommended that you apply the Lockdown guide on your server.
Some quick links
ColdFusion 11 lockdown guide: – http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf
ColdFusion 10 lockdown guide: – http://wwwimages.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf10/cf10-lockdown-guide.pdf
ColdFusion 9 lockdown guide: – http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf
Note: – All the above suggestions are some preliminary ones and there could be other action items as well.