Copy link to clipboard
Copied
Hi,
I am using Macromedia coldfusion MX7 in my server and I am new to coldfusion. I am using coldfusion for my website admin side purpose and when i run my site for PCI scanning(security checks), the rating was 4.3 red.The major issues are,
1. Apply the hotfixes referenced in Adobe advisory (APSB12-15)
2.Apply the hotfixes reference in Adobe' advisory.
3. Restrict access to the vulnerable application. contact the vendor for a patch or upgrade.
And they mentioned the code like, CVE 2012-2041,CVE-2011-0580,CVE-2009-1875,CVE-2009-1872
I tried the below URL as they given,
http://www.dsecrg.com/pages/vul/show.php?id=122
http://www.adobe.com/support/security/bulletins/apsb09-12.html
By this url reference, they have given solution for CF 7.0.2,CF8 and CF8.0.1 version but I am using CF MX7.
For this,
1.In which version will i try to solve this issues or is there any sites are available for version CF MX7?
2.Is any other solution available for the above errors?
3.To fix the above issues, Is I need to follow all the instruction separately for every errors?
I am really stuck on this, please guide me to come over this issue and many thanks in advance.
Regards,
Samsul hudha .M.Y
Copy link to clipboard
Copied
In my opinion you need to do 2 things to continue to use MX7 securely.
1) Apply Upgrade 2 of ColdFusion MX7, raising the version to MX7.0.2. That was the last best version.
2) Apply the latest hotfixes for MX7.0.2.
However, with the coming of ColdFusion 10, Adobe appears to have removed all MX7 downloads from their web sites. Contact Adobe customer support and ask them to provide you with the downloads. As an alternative, you might want to migrate your application to a more recent version of ColdFusion.
Copy link to clipboard
Copied
Hi,
Thanks for your reply,
Due to live server I cannot able to upgrade my coldfusion and I will get the files from adobe customer support. After getting the downloaded files, shall i follow the steps as they given in the url(http://www.adobe.com/support/security/bulletins/apsb09-12.html for CF 7.0.2) for my CF MX7?
Copy link to clipboard
Copied
OK
Copy link to clipboard
Copied
In my opinion you cannot be PCI compliant on CF 7, it is an End of Life product for Adobe (see http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63), meaning they no longer support or patch it, and there are security vulnerabilities that have come out leaving CF7 unpatched. You will need to upgrade to version CF9 or 10 (CF8 is now end of life to unless you have an extended support plan)
Copy link to clipboard
Copied
Hi Peter,
Thanks for your reply,
Actually, the coldfusion site is running in internet and i cannot able to stop my business through website but in the mean time PCI compliant pass result also needed to me.
Is there any possibilities to solve my issues without upgrade the CF version?
Please guide me to comeover this issue.
Regards,
Samsul
Copy link to clipboard
Copied
CF7.0.2 would be using Java 1.4.2_09. With Java 1.6 nearing EOL I expect Java 1.4 would be well out of compliance.
Regards, Carl.
Copy link to clipboard
Copied
Hi Carl,
Thanks for your reply, I am not clear your answer. could you please explain?
Regards,
Samsul
Copy link to clipboard
Copied
Bottom line: You can't have both of these:
You need to decide which you want. If you cannot interrupt your server so you can upgrade it, you cannot get PCI compliance. If you must have PCI compliance, you need to upgrade your server which will mean downtime.
As BKBK suggested - and this should be the practice for any CF version upgrade - you should have a lab server which is a copy of your live server, upgrade that, test it thoroughly, make sure it's A-OK to go live, then swap the two over. This will still require a small amount of downtime, but not much.
I would check to see if it's even possible to get PCI compliance on 7.0.2, because I doubt it. So it would probably be a waste of time to even bother with that. You ought to go to a minimum of CF9, but consider CF10 instead as this will give you the greatest longevity. The upgrade from 7.0.2 to either 9 or 10 will be similar, although the architecture of 10 has changed from JRun to Tomcat, so that's opne complexity that might push you in the directiojn of CF9 instead.
However if you are new to CF as you say, you are out of your depth with this, and you should get someone who has appropriate CF server config experience to do it for you. This is not a job for a newbie.
--
Adam
Copy link to clipboard
Copied
RE: The upgrade from 7.0.2 to either 9 or 10 will be similar, although the architecture of 10 has changed from JRun to Tomcat, so that's opne complexity that might push you in the directiojn of CF9 instead.
Based on my brief (failed) experience with CF10, and all the various reported problems I see in this forum and others, I would not recommend CF10. I highly recommend CF9 though. I don't think I would bother trying to patch your existing CF7. But you will need someone with experience and proper configuration on a live server can be challenging, even for the experienced.
Copy link to clipboard
Copied
Is there any possibilities to solve my issues without upgrade the CF version?
No. Software product lifecycles get shorter and shorter everyday. For example, you are on CF MX7, which is very much out of date (current version is 10). It had a lot of things wrong with it, which were fixed in the best MX7 version, namely MX7.0.2. Therefore you cannot be compliant without at least upgrading to MX7.0.2.
But then you will be immediately confronted with the issue Peter mentioned: end-of-life of MX7. I consider that the best, perhaps the only, solution is to migrate your application to ColdFusion 9 or 10.
You can go about it as follows. Let your MX7 site continue to do business as usual. Migrate a copy of the site to ColdFusion 9 or 10 on a development or test server, depending on your software environment. You now have the opportunity to make the site as compliant as you wish it to be.
Do the migration as a project. That will compel you to examine important factors like bottle-necks, risks and so on. The project plan should include your schedules for migration, testing and finally going into production.