Skip to main content
A
Anonymous
April 3, 2013
Question

Conflicting Information

  • April 3, 2013
  • 2 replies
  • 913 views

I'm a Information Security Analyst and currently I'm trying to strengthen our ColdFusion hardening standards and I have an issue that I need to understand.

I'm referencing two separate Adobe documents,

First document:

ColdFusion 9 Lockdown Guide

Recommends:

Page 16 of 35.  Do not enable RDS. Click next...

Next document:

Security Advisory for ColdFusion

Release date: January 4, 2013

Last updated: January 16, 2013

Vulnerability identifier: APSA13-01

Recommends:

  • Setting the password for Remote Development Services (even if RDS is disabled)
  • Enabling password protection for RDS
  • Setting the Admin password and enabling password protection for Administrator

So, Adobe recommends, 1st, not to Enable RDS at all, but then recommends as a "mitigation", Enabling RDS (post installation) to setup a username and password, but the ColdFusion 9 Lockdown Guide "Do not enable RDS.". 

Maybe as a "Remediation", Adobe should just remove RDS since a) they recommend keeping it disabled and b) it's such a vulnerability?  Also, I would suggest that the recommendations from the Security Advisory (s) be incorporated into an updated ColdFusion 9 Lockdown Guide.

I'm sure this cannot be the first time they've heard this.

Don

    This topic has been closed for replies.

    2 replies

    A
    Anonymous
    April 4, 2013

    Hi Jackson ,

    Security Advisory says " Enable Password protection for RDS " and not to " Enable RDS " . We Recommend to Set a unique password for RDS and then Disable RDS for Production Environment .

    After the latest security hotfix ASPB 13-03 released on Jan 15th , You can Disable and Enable RDS in the administrator UI itself .

    Navigate to Security -> RDS

    Turn on the Enable RDS Service ( So that you can set a unique password )

    Set the Password

    Turn off the Enable RDS Service

    Regards ,

    YASHAS RATTEHALLI

    ADOBE ColdFusion Team

    A
    Anonymous
    April 4, 2013

    The above mentioned steps are precautionary measures which you need to follow to prevent any potential hacks . However you are quite safe in production environment even if just RDS is disabled ( If your server is fully patched ) .

    Regards ,

    YASHAS RATTEHALLI

    ADOBE ColdFusion Team

    12Robots
    12Robots
    Participating Frequently
    April 3, 2013

    It doesn't say to "Enable RDS", it says "Enable password protection for RDS"

    You can disable the RDS by commenting out the servlet mapping in web.xml, but you should still set passwords for RDS on the chance that it ever gets enabled on the server (someone restores the wrong XMl files or something). It is best to enable separate RDS usernames and passwords for this.

    You should still keep RDS disabled in production, but this is an example of defense-in-depth. Even if RDS were to become enabled, it would alteast be password protected. These documents do not contradict each other.

    Disabling RDS: http://helpx.adobe.com/coldfusion/kb/disabling-enabling-coldfusion-rds-production.html

    Jason

    A
    Anonymous
    April 3, 2013

    Can usernames and passwords be setup\configured without enabling RDS?

    12Robots
    12Robots
    Participating Frequently
    April 3, 2013

    Yes

    jason

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices