5 Replies Latest reply on Apr 4, 2013 3:26 AM by YASHAS R R

    Conflicting Information

    D.D.Jackson

      I'm a Information Security Analyst and currently I'm trying to strengthen our ColdFusion hardening standards and I have an issue that I need to understand.

       

      I'm referencing two separate Adobe documents,

       

      First document:

      ColdFusion 9 Lockdown Guide

      Recommends:

      Page 16 of 35.  Do not enable RDS. Click next...

       

      Next document:

      Security Advisory for ColdFusion

      Release date: January 4, 2013

      Last updated: January 16, 2013

      Vulnerability identifier: APSA13-01

       

      Recommends:

      • Setting the password for Remote Development Services (even if RDS is disabled)
      • Enabling password protection for RDS
      • Setting the Admin password and enabling password protection for Administrator

       

      So, Adobe recommends, 1st, not to Enable RDS at all, but then recommends as a "mitigation", Enabling RDS (post installation) to setup a username and password, but the ColdFusion 9 Lockdown Guide "Do not enable RDS.". 

       

      Maybe as a "Remediation", Adobe should just remove RDS since a) they recommend keeping it disabled and b) it's such a vulnerability?  Also, I would suggest that the recommendations from the Security Advisory (s) be incorporated into an updated ColdFusion 9 Lockdown Guide.

       

      I'm sure this cannot be the first time they've heard this.

       

       

      Don