Determining Which Cumulative Hotfixes are Installed on ColdFusion

It's not always obvious which Cumulative hotfixes are installed on a ColdFusion server. I'm pleased to announce that the paid subscriptions for HackMyCF now let you know which cumulative (non security) hotfixes you have installed, and which ones you don't.

As you may know Adobe released Cumulative Hotfix 2 for ColdFusion 9.0.1 on Friday. So here's what a server that is running cumulative hotfix 1 for 9.0.1 but not cumulative hotfix 2 looks like in a HackMyCF subscription:

The current known limitations of this feature are:

• Not enabled for ColdFusion 8.0.0 or below at this time (does work for 8.0.1 however).
• Requires a paid subscription and the probe installed (not possible on free version).

Also announcing the HackMyCF Probe

The probe is a cfm file that you place on your server, subscribers can specify a url to the cfm file for each server in their account. Then when we scan your server we also connect to this probe.cfm, which allows us to get information such as the exact ColdFusion version number (though we can usually determine this with out the probe), the JVM version, which hotfix jar files have been installed, and it also allows us to get a MD5 sum of certain files.

The addition of the probe allows us to find more potential vulnerabilities on your server, for example we can determine if ColdFusion is running as the SYSTEM, we can determine if you are running a version of the JVM that is selectable to a easy to execute denial of service (we could detect this without the probe, but since that would crash your server, we need to use the probe to detect it).

We launched the probe feature in HackMyCF several months ago, however it has been a somewhat soft launch (we haven't been promoting it too much yet). It has been in use now by lots of customers and is pretty solid (we haven't to update the probe.cfm file, even this latest feature uses existing functionality).