Skip navigation
Lateral Thinking
Currently Being Moderated

CF MX7 PCI Scanning Result

Oct 31, 2012 1:22 AM

Tags: #cf8

Hi,

I am using Macromedia coldfusion MX7 in my server and I am new to coldfusion. I am using coldfusion for my website admin side purpose and when i run my site for PCI scanning(security checks), the rating was 4.3 red.The major issues are,

1. Apply the hotfixes referenced in Adobe advisory (APSB12-15)

2.Apply the hotfixes reference in Adobe' advisory.

3. Restrict access to the vulnerable application. contact the vendor for a patch or upgrade.

 

And they mentioned the code like, CVE 2012-2041,CVE-2011-0580,CVE-2009-1875,CVE-2009-1872

 

I tried the below URL as they given,

http://www.dsecrg.com/pages/vul/show.php?id=122

http://www.adobe.com/support/security/bulletins/apsb09-12.html

 

By this url reference, they have given solution for CF 7.0.2,CF8 and CF8.0.1 version but I am using CF MX7.

For this,

1.In which version will i try to solve this issues or is there any sites are available for version CF MX7?

2.Is any other solution available for the above errors?

3.To fix the above issues, Is I need to follow all the instruction separately for every errors?

 

I am really stuck on this, please guide me to come over this issue and many thanks in advance.

 

Regards,

Samsul hudha .M.Y

 
Replies
  • Currently Being Moderated
    Oct 31, 2012 1:40 AM   in reply to Lateral Thinking

    In my opinion you need to do 2 things to continue to use MX7 securely.

     

    1) Apply Upgrade 2 of ColdFusion MX7, raising the version to MX7.0.2. That was the last best version.

    2) Apply the latest hotfixes for MX7.0.2.

     

    However, with the coming of ColdFusion 10, Adobe appears to have removed all MX7 downloads from their web sites. Contact Adobe customer support and ask them to provide you with the downloads. As an alternative, you might want to migrate your application to a more recent version of ColdFusion.

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 31, 2012 6:11 AM   in reply to Lateral Thinking

    OK

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 31, 2012 12:53 PM   in reply to BKBK

    In my opinion you cannot be PCI compliant on CF 7, it is an End of Life product for Adobe (see http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#6 3), meaning they no longer support or patch it, and there are security vulnerabilities that have come out leaving CF7 unpatched. You will need to upgrade to version CF9 or 10 (CF8 is now end of life to unless you have an extended support plan)

     
    |
    Mark as:
  • Currently Being Moderated
    Oct 31, 2012 11:48 PM   in reply to Lateral Thinking

    CF7.0.2 would be using Java 1.4.2_09. With Java 1.6 nearing EOL I expect Java 1.4 would be well out of compliance.

    Regards, Carl.

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 1, 2012 3:33 AM   in reply to Lateral Thinking

    Is there any possibilities to solve my issues without upgrade the CF version?

    No. Software product lifecycles get shorter and shorter everyday. For example, you are on CF MX7, which is very much out of date (current version is 10). It had a lot of things wrong with it, which were fixed in the best MX7 version, namely MX7.0.2. Therefore you cannot be compliant without at least upgrading to MX7.0.2.

     

    But then you will be immediately confronted with the issue Peter mentioned: end-of-life of MX7. I consider that the best, perhaps the only, solution is to migrate your application to ColdFusion 9 or 10.

     

    You can go about it as follows. Let your MX7 site continue to do business as usual. Migrate a copy of the site to ColdFusion 9 or 10 on a development or test server, depending on your software environment. You now have the opportunity to make the site as compliant as you wish it to be.

     

    Do the migration as a project. That will compel you to examine important factors like bottle-necks, risks and so on. The project plan should include your schedules for migration, testing and finally going into production.

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 1, 2012 3:51 AM   in reply to Lateral Thinking

    Bottom line: You can't have both of these:

    1. i cannot able to stop my business through website
    2. PCI compliant pass result also needed

     

    You need to decide which you want.  If you cannot interrupt your server so you can upgrade it, you cannot get PCI compliance.  If you must have PCI compliance, you need to upgrade your server which will mean downtime.

     

    As BKBK suggested - and this should be the practice for any CF version upgrade - you should have a lab server which is a copy of your live server, upgrade that, test it thoroughly, make sure it's A-OK to go live, then swap the two over.  This will still require a small amount of downtime, but not much.

     

    I would check to see if it's even possible to get PCI compliance on 7.0.2, because I doubt it. So it would probably be a waste of time to even bother with that.  You ought to go to a minimum of CF9, but consider CF10 instead as this will give you the greatest longevity.  The upgrade from 7.0.2 to either 9 or 10 will be similar, although the architecture of 10 has changed from JRun to Tomcat, so that's opne complexity that might push you in the directiojn of CF9 instead.

     

    However if you are new to CF as you say, you are out of your depth with this, and you should get someone who has appropriate CF server config experience to do it for you.  This is not a job for a newbie.

     

    --

    Adam

     
    |
    Mark as:
  • Currently Being Moderated
    Nov 1, 2012 9:28 AM   in reply to Adam Cameron.

    RE: The upgrade from 7.0.2 to either 9 or 10 will be similar, although the architecture of 10 has changed from JRun to Tomcat, so that's opne complexity that might push you in the directiojn of CF9 instead.

     

    Based on my brief (failed) experience with CF10, and all the various reported problems I see in this forum and others, I would not recommend CF10. I highly recommend CF9 though. I don't think I would bother trying to patch your existing CF7. But you will need someone with experience and proper configuration on a live server can be challenging, even for the experienced.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points