10 Replies Latest reply: Nov 1, 2012 9:28 AM by Steve Sommers RSS

    CF MX7 PCI Scanning Result

    Lateral Thinking

      Hi,

      I am using Macromedia coldfusion MX7 in my server and I am new to coldfusion. I am using coldfusion for my website admin side purpose and when i run my site for PCI scanning(security checks), the rating was 4.3 red.The major issues are,

      1. Apply the hotfixes referenced in Adobe advisory (APSB12-15)

      2.Apply the hotfixes reference in Adobe' advisory.

      3. Restrict access to the vulnerable application. contact the vendor for a patch or upgrade.

       

      And they mentioned the code like, CVE 2012-2041,CVE-2011-0580,CVE-2009-1875,CVE-2009-1872

       

      I tried the below URL as they given,

      http://www.dsecrg.com/pages/vul/show.php?id=122

      http://www.adobe.com/support/security/bulletins/apsb09-12.html

       

      By this url reference, they have given solution for CF 7.0.2,CF8 and CF8.0.1 version but I am using CF MX7.

      For this,

      1.In which version will i try to solve this issues or is there any sites are available for version CF MX7?

      2.Is any other solution available for the above errors?

      3.To fix the above issues, Is I need to follow all the instruction separately for every errors?

       

      I am really stuck on this, please guide me to come over this issue and many thanks in advance.

       

      Regards,

      Samsul hudha .M.Y

        • 1. Re: CF MX7 PCI Scanning Result
          BKBK CommunityMVP

          In my opinion you need to do 2 things to continue to use MX7 securely.

           

          1) Apply Upgrade 2 of ColdFusion MX7, raising the version to MX7.0.2. That was the last best version.

          2) Apply the latest hotfixes for MX7.0.2.

           

          However, with the coming of ColdFusion 10, Adobe appears to have removed all MX7 downloads from their web sites. Contact Adobe customer support and ask them to provide you with the downloads. As an alternative, you might want to migrate your application to a more recent version of ColdFusion.

          • 2. Re: CF MX7 PCI Scanning Result
            Lateral Thinking Community Member

            Hi,

            Thanks for your reply,

            Due to live server I cannot able to upgrade my coldfusion and I will get the files from adobe customer support. After getting the downloaded files, shall i follow the steps as they given in the  url(http://www.adobe.com/support/security/bulletins/apsb09-12.html  for CF 7.0.2) for my CF MX7?

            • 4. Re: CF MX7 PCI Scanning Result
              Peter Freitag CommunityMVP

              In my opinion you cannot be PCI compliant on CF 7, it is an End of Life product for Adobe (see http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#63), meaning they no longer support or patch it, and there are security vulnerabilities that have come out leaving CF7 unpatched. You will need to upgrade to version CF9 or 10 (CF8 is now end of life to unless you have an extended support plan)

              • 5. Re: CF MX7 PCI Scanning Result
                Lateral Thinking Community Member

                Hi Peter,

                Thanks for your reply,

                Actually, the coldfusion site is running in internet and i cannot able to stop my business through website but in the mean time PCI compliant pass result also needed to me.

                Is there any possibilities to solve my issues without upgrade the CF version?

                Please guide me to comeover this issue.

                Regards,

                Samsul

                • 6. Re: CF MX7 PCI Scanning Result
                  carl type3 Community Member

                  CF7.0.2 would be using Java 1.4.2_09. With Java 1.6 nearing EOL I expect Java 1.4 would be well out of compliance.

                  Regards, Carl.

                  • 7. Re: CF MX7 PCI Scanning Result
                    Lateral Thinking Community Member

                    Hi Carl,

                    Thanks for your reply, I am not clear your answer. could you please explain?

                    Regards,

                    Samsul

                    • 8. Re: CF MX7 PCI Scanning Result
                      BKBK CommunityMVP

                      Is there any possibilities to solve my issues without upgrade the CF version?

                      No. Software product lifecycles get shorter and shorter everyday. For example, you are on CF MX7, which is very much out of date (current version is 10). It had a lot of things wrong with it, which were fixed in the best MX7 version, namely MX7.0.2. Therefore you cannot be compliant without at least upgrading to MX7.0.2.

                       

                      But then you will be immediately confronted with the issue Peter mentioned: end-of-life of MX7. I consider that the best, perhaps the only, solution is to migrate your application to ColdFusion 9 or 10.

                       

                      You can go about it as follows. Let your MX7 site continue to do business as usual. Migrate a copy of the site to ColdFusion 9 or 10 on a development or test server, depending on your software environment. You now have the opportunity to make the site as compliant as you wish it to be.

                       

                      Do the migration as a project. That will compel you to examine important factors like bottle-necks, risks and so on. The project plan should include your schedules for migration, testing and finally going into production.

                      • 9. Re: CF MX7 PCI Scanning Result
                        Adam Cameron. Community Member

                        Bottom line: You can't have both of these:

                        1. i cannot able to stop my business through website
                        2. PCI compliant pass result also needed

                         

                        You need to decide which you want.  If you cannot interrupt your server so you can upgrade it, you cannot get PCI compliance.  If you must have PCI compliance, you need to upgrade your server which will mean downtime.

                         

                        As BKBK suggested - and this should be the practice for any CF version upgrade - you should have a lab server which is a copy of your live server, upgrade that, test it thoroughly, make sure it's A-OK to go live, then swap the two over.  This will still require a small amount of downtime, but not much.

                         

                        I would check to see if it's even possible to get PCI compliance on 7.0.2, because I doubt it. So it would probably be a waste of time to even bother with that.  You ought to go to a minimum of CF9, but consider CF10 instead as this will give you the greatest longevity.  The upgrade from 7.0.2 to either 9 or 10 will be similar, although the architecture of 10 has changed from JRun to Tomcat, so that's opne complexity that might push you in the directiojn of CF9 instead.

                         

                        However if you are new to CF as you say, you are out of your depth with this, and you should get someone who has appropriate CF server config experience to do it for you.  This is not a job for a newbie.

                         

                        --

                        Adam

                        • 10. Re: CF MX7 PCI Scanning Result
                          Steve Sommers Community Member

                          RE: The upgrade from 7.0.2 to either 9 or 10 will be similar, although the architecture of 10 has changed from JRun to Tomcat, so that's opne complexity that might push you in the directiojn of CF9 instead.

                           

                          Based on my brief (failed) experience with CF10, and all the various reported problems I see in this forum and others, I would not recommend CF10. I highly recommend CF9 though. I don't think I would bother trying to patch your existing CF7. But you will need someone with experience and proper configuration on a live server can be challenging, even for the experienced.