cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Conflicting Information

Guest
Apr 03, 2013 Apr 03, 2013

Copy link to clipboard

Copied

I'm a Information Security Analyst and currently I'm trying to strengthen our ColdFusion hardening standards and I have an issue that I need to understand.

I'm referencing two separate Adobe documents,

First document:

ColdFusion 9 Lockdown Guide

Recommends:

Page 16 of 35.  Do not enable RDS. Click next...

Next document:

Security Advisory for ColdFusion

Release date: January 4, 2013

Last updated: January 16, 2013

Vulnerability identifier: APSA13-01

Recommends:

  • Setting the password for Remote Development Services (even if RDS is disabled)
  • Enabling password protection for RDS
  • Setting the Admin password and enabling password protection for Administrator

So, Adobe recommends, 1st, not to Enable RDS at all, but then recommends as a "mitigation", Enabling RDS (post installation) to setup a username and password, but the ColdFusion 9 Lockdown Guide "Do not enable RDS.". 

Maybe as a "Remediation", Adobe should just remove RDS since a) they recommend keeping it disabled and b) it's such a vulnerability?  Also, I would suggest that the recommendations from the Security Advisory (s) be incorporated into an updated ColdFusion 9 Lockdown Guide.

I'm sure this cannot be the first time they've heard this.

Don

Views

728

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 5 Replies 5
latest latest Jump to latest reply
12Robots
Advocate ,
Apr 03, 2013 Apr 03, 2013

Copy link to clipboard

Copied

It doesn't say to "Enable RDS", it says "Enable password protection for RDS"

You can disable the RDS by commenting out the servlet mapping in web.xml, but you should still set passwords for RDS on the chance that it ever gets enabled on the server (someone restores the wrong XMl files or something). It is best to enable separate RDS usernames and passwords for this.

You should still keep RDS disabled in production, but this is an example of defense-in-depth. Even if RDS were to become enabled, it would alteast be password protected. These documents do not contradict each other.

Disabling RDS: http://helpx.adobe.com/coldfusion/kb/disabling-enabling-coldfusion-rds-production.html

Jason

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Apr 03, 2013 Apr 03, 2013

Copy link to clipboard

Copied

In Response To 12Robots

Can usernames and passwords be setup\configured without enabling RDS?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
12Robots
Advocate ,
Apr 03, 2013 Apr 03, 2013

Copy link to clipboard

Copied

In Response To Deleted User

Yes

jason

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Apr 03, 2013 Apr 03, 2013

Copy link to clipboard

Copied

Hi Jackson ,

Security Advisory says " Enable Password protection for RDS " and not to " Enable RDS " . We Recommend to Set a unique password for RDS and then Disable RDS for Production Environment .

After the latest security hotfix ASPB 13-03 released on Jan 15th , You can Disable and Enable RDS in the administrator UI itself .

Navigate to Security -> RDS

Turn on the Enable RDS Service ( So that you can set a unique password )

Set the Password

Turn off the Enable RDS Service

Regards ,

YASHAS RATTEHALLI

ADOBE ColdFusion Team

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Apr 04, 2013 Apr 04, 2013

Copy link to clipboard

Copied

LATEST
In Response To Deleted User

The above mentioned steps are precautionary measures which you need to follow to prevent any potential hacks . However you are quite safe in production environment even if just RDS is disabled ( If your server is fully patched ) .

Regards ,

YASHAS RATTEHALLI

ADOBE ColdFusion Team

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices