Updating/Hotfixing ColdFusion 10, 9 and 8: Tips and Traps
In this session, veteran CF Troubleshooter Charlie Arehart will share some tips, tricks, and traps with respect to updating ColdFusion 10 as well as applying hotfixes in CF 9 and 8. There's a lot more to it than meets the eye.
First Charlie will discuss the new update mechanism in CF10. While it's "just a single button" now, there are still lots of ins and outs, including some unexpected quirks that arose after the release of CF10, so that it's really not (for now) that simple. Then there are some other gotchas that can trip people up, and while there is ample documentation of these things, the sad fact is that few notice or read it. So in the first part of the talk, Charlie will review the ins and outs of updating CF10, with the hope that someday it may well really be that simple one-button operation.
Then Charlie will discuss the process of updating CF9 and 8 (and by association, CF7 and 6, so those running one of those releases will still benefit, but those are quite old and have their own vagaries which we will not have time to discuss). Again, on the surface, updating CF 9 and 8 should be pretty simple: you apply a hotfix. But as any who has done them will tell you, in recent years it became anything but simple. There are matters to note regarding individual hotfixes, cumulative hotfixes, and separately security hotfixes. Charlie will also discuss the available "Unofficial Updater" which can ease the process on CF 8 and 9.
But Charlie will also explain a serious potential gotcha with respect to that tool, and one that can even burn those on CF10 (or those who do manual hotfixing of CF 9, 8, etc.), with respect to a problem of your perhaps having multiple CFIDE folders. If you don't update all of them, you can easily find things busted. The good news is that with knowledge comes power, and in his consulting practice Charlie finds that once most folks are made aware of a few key points about the ins of the CF update process, they can and do get them applied more successfully, from then forward.
Locking down the #ColdFusion Administrator: Your First Line of Defense Against Hackers
You've (hopefully) heard about the recent spate of attacks on CF servers. Some have even made the national news. And Adobe has indeed some out with a flurry of recent security hotfixes to address those. But as experienced admins will tell you, so many of those attacks could have been foiled if the admins had just taken the precaution to lock down their CF Admin from public access. Don't misunderstand: this is not saying that those hacked had no CF Admin password. The problem is that if your CF Admin login page is open to the public, you are vulnerable.
And while Adobe has closed more and more vulnerabilities related to this, what if a new zero-day attack comes out? Or what if you fail to apply the update, or fail to apply it correctly? Or what if you are on CF8 or earlier, where no more hotfixes are being offered? More than anything, what if you could take one precaution that would have stopped nearly all of the recent attacks, even without Adobe hotfixes in place? And would you be surprised that this is a precaution that Adobe has warned about for years (in security guidelines going back to CF8)?
In this session, veteran CF troubleshooter Charlie Arehart will explain how and why you should lock down public access to the ColdFusion Administrator login screen as well as some other key vulnerable folders. He'll discuss doing it through all the ways that your admin may be accessible, whether an external web server like IIS or Apache, or the internal CF web server. Indeed, don't think you're covered because you already have "locked things down". Charlie will show some ways that you may still be vulnerable despite your own efforts. With even just a little more knowledge than you may have now, you can protect yourself far more effectively.
About Charlie Arehart
A veteran ColdFusion developer and troubleshooter since 1997 with more than three decades in enterprise IT, Charlie Arehart (@carehart) is a longtime contributor to the community and has for several years been a recognized Adobe Community Professional, Adobe Forums MVP, ColdFusion Customer Advisory Board member, and more. An independent consultant, he provides short-term, remote, on-demand troubleshooting/tuning assistance for organizations of all sizes and CF experience levels (carehart.org/consulting).
Besides running the 2800-member Online ColdFusion Meetup (coldfusionmeetup.com, an online CF user group), he also hosts the UGTV repository of recorded presentations from hundreds of speakers (carehart.org/ugtv), the CF411 site of over 1800 tools/resources for CFers (cf411.com), and the CF911 site of troubleshooting resources (cf911.com and @cf911). A certified Advanced CF Developer and Instructor for each version since CF 4, Charlie's spoken at nearly all the CF conferences worldwide and has been a contributor to all three volumes of Ben Forta's ColdFusion 8 and 9 WACK books, and the new CF10 WACK book.