• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CF MX7 PCI Scanning Result

Guest
Oct 31, 2012 Oct 31, 2012

Copy link to clipboard

Copied

Hi,

I am using Macromedia coldfusion MX7 in my server and I am new to coldfusion. I am using coldfusion for my website admin side purpose and when i run my site for PCI scanning(security checks), the rating was 4.3 red.The major issues are,

1. Apply the hotfixes referenced in Adobe advisory (APSB12-15)

2.Apply the hotfixes reference in Adobe' advisory.

3. Restrict access to the vulnerable application. contact the vendor for a patch or upgrade.

And they mentioned the code like, CVE 2012-2041,CVE-2011-0580,CVE-2009-1875,CVE-2009-1872

I tried the below URL as they given,

http://www.dsecrg.com/pages/vul/show.php?id=122

http://www.adobe.com/support/security/bulletins/apsb09-12.html

By this url reference, they have given solution for CF 7.0.2,CF8 and CF8.0.1 version but I am using CF MX7.

For this,

1.In which version will i try to solve this issues or is there any sites are available for version CF MX7?

2.Is any other solution available for the above errors?

3.To fix the above issues, Is I need to follow all the instruction separately for every errors?

I am really stuck on this, please guide me to come over this issue and many thanks in advance.

Regards,

Samsul hudha .M.Y

Views

2.0K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 31, 2012 Oct 31, 2012

Copy link to clipboard

Copied

In my opinion you need to do 2 things to continue to use MX7 securely.

1) Apply Upgrade 2 of ColdFusion MX7, raising the version to MX7.0.2. That was the last best version.

2) Apply the latest hotfixes for MX7.0.2.

However, with the coming of ColdFusion 10, Adobe appears to have removed all MX7 downloads from their web sites. Contact Adobe customer support and ask them to provide you with the downloads. As an alternative, you might want to migrate your application to a more recent version of ColdFusion.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Oct 31, 2012 Oct 31, 2012

Copy link to clipboard

Copied

Hi,

Thanks for your reply,

Due to live server I cannot able to upgrade my coldfusion and I will get the files from adobe customer support. After getting the downloaded files, shall i follow the steps as they given in the  url(http://www.adobe.com/support/security/bulletins/apsb09-12.html  for CF 7.0.2) for my CF MX7?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 31, 2012 Oct 31, 2012

Copy link to clipboard

Copied

OK

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Oct 31, 2012 Oct 31, 2012

Copy link to clipboard

Copied

In my opinion you cannot be PCI compliant on CF 7, it is an End of Life product for Adobe (see http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63), meaning they no longer support or patch it, and there are security vulnerabilities that have come out leaving CF7 unpatched. You will need to upgrade to version CF9 or 10 (CF8 is now end of life to unless you have an extended support plan)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Oct 31, 2012 Oct 31, 2012

Copy link to clipboard

Copied

Hi Peter,

Thanks for your reply,

Actually, the coldfusion site is running in internet and i cannot able to stop my business through website but in the mean time PCI compliant pass result also needed to me.

Is there any possibilities to solve my issues without upgrade the CF version?

Please guide me to comeover this issue.

Regards,

Samsul

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Oct 31, 2012 Oct 31, 2012

Copy link to clipboard

Copied

CF7.0.2 would be using Java 1.4.2_09. With Java 1.6 nearing EOL I expect Java 1.4 would be well out of compliance.

Regards, Carl.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Nov 01, 2012 Nov 01, 2012

Copy link to clipboard

Copied

Hi Carl,

Thanks for your reply, I am not clear your answer. could you please explain?

Regards,

Samsul

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Nov 01, 2012 Nov 01, 2012

Copy link to clipboard

Copied

Bottom line: You can't have both of these:

  1. i cannot able to stop my business through website
  2. PCI compliant pass result also needed

You need to decide which you want.  If you cannot interrupt your server so you can upgrade it, you cannot get PCI compliance.  If you must have PCI compliance, you need to upgrade your server which will mean downtime.

As BKBK suggested - and this should be the practice for any CF version upgrade - you should have a lab server which is a copy of your live server, upgrade that, test it thoroughly, make sure it's A-OK to go live, then swap the two over.  This will still require a small amount of downtime, but not much.

I would check to see if it's even possible to get PCI compliance on 7.0.2, because I doubt it. So it would probably be a waste of time to even bother with that.  You ought to go to a minimum of CF9, but consider CF10 instead as this will give you the greatest longevity.  The upgrade from 7.0.2 to either 9 or 10 will be similar, although the architecture of 10 has changed from JRun to Tomcat, so that's opne complexity that might push you in the directiojn of CF9 instead.

However if you are new to CF as you say, you are out of your depth with this, and you should get someone who has appropriate CF server config experience to do it for you.  This is not a job for a newbie.

--

Adam

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Nov 01, 2012 Nov 01, 2012

Copy link to clipboard

Copied

LATEST

RE: The upgrade from 7.0.2 to either 9 or 10 will be similar, although the architecture of 10 has changed from JRun to Tomcat, so that's opne complexity that might push you in the directiojn of CF9 instead.

Based on my brief (failed) experience with CF10, and all the various reported problems I see in this forum and others, I would not recommend CF10. I highly recommend CF9 though. I don't think I would bother trying to patch your existing CF7. But you will need someone with experience and proper configuration on a live server can be challenging, even for the experienced.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 01, 2012 Nov 01, 2012

Copy link to clipboard

Copied

Is there any possibilities to solve my issues without upgrade the CF version?

No. Software product lifecycles get shorter and shorter everyday. For example, you are on CF MX7, which is very much out of date (current version is 10). It had a lot of things wrong with it, which were fixed in the best MX7 version, namely MX7.0.2. Therefore you cannot be compliant without at least upgrading to MX7.0.2.

But then you will be immediately confronted with the issue Peter mentioned: end-of-life of MX7. I consider that the best, perhaps the only, solution is to migrate your application to ColdFusion 9 or 10.

You can go about it as follows. Let your MX7 site continue to do business as usual. Migrate a copy of the site to ColdFusion 9 or 10 on a development or test server, depending on your software environment. You now have the opportunity to make the site as compliant as you wish it to be.

Do the migration as a project. That will compel you to examine important factors like bottle-necks, risks and so on. The project plan should include your schedules for migration, testing and finally going into production.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation