5 Replies Latest reply on Apr 4, 2013 3:26 AM by YASHAS R R

    Conflicting Information


      I'm a Information Security Analyst and currently I'm trying to strengthen our ColdFusion hardening standards and I have an issue that I need to understand.


      I'm referencing two separate Adobe documents,


      First document:

      ColdFusion 9 Lockdown Guide


      Page 16 of 35.  Do not enable RDS. Click next...


      Next document:

      Security Advisory for ColdFusion

      Release date: January 4, 2013

      Last updated: January 16, 2013

      Vulnerability identifier: APSA13-01



      • Setting the password for Remote Development Services (even if RDS is disabled)
      • Enabling password protection for RDS
      • Setting the Admin password and enabling password protection for Administrator


      So, Adobe recommends, 1st, not to Enable RDS at all, but then recommends as a "mitigation", Enabling RDS (post installation) to setup a username and password, but the ColdFusion 9 Lockdown Guide "Do not enable RDS.". 


      Maybe as a "Remediation", Adobe should just remove RDS since a) they recommend keeping it disabled and b) it's such a vulnerability?  Also, I would suggest that the recommendations from the Security Advisory (s) be incorporated into an updated ColdFusion 9 Lockdown Guide.


      I'm sure this cannot be the first time they've heard this.