Flaws in updater packages 11, 12 with crashed SQL server connections after Hardening

Question

Hello All,

Will try to document this without the wall of text that would fully explain everything. Anything seems unclear, please ask. Trying to save others from wasting some of the time I have.

Been working on setting up some new production servers, with Windows Server 2022 Standard and Coldfusion 2021 standard. Following the hardening guide as posted on Adobe website.

There are two main issues I have figured out, which may or may not be related under the hood.

Part 1, installing CF2021 and updates:

Installed with recommendations from the hardening guide, specifically removing all Sub-components and Servlets as recommended on page 9 of the hardening guide.
Upon completion of the install, create a test SQL Server Datasource and test it works (relevant for part 2 below).
Check package manager page in Administrator. Latest installer download as of yesterday is at updater 2
download Updater 11 (relevant for the fix of part 2 below) and Updater 12
from the command line install Updater 12
test the datasource from #2 above. it still works.
run the CF2021 lockdown executable downloaded from Adobe.
- first error: the lockdown executable complains and says check the logs, so the logs say:
  - Remote admin component is enabled. Server is not production profile. Please delete the AdminServlet.war from jetty to disable it and try again!
  - Wait,... what? the Remote admin component was specifically not installed for this production server.
  - Sure enough, in the cfusion folder there is a new "jetty" folder that has components for the HTMLtoPDF, Admin Servlet and SOLR added back in.
- I don't use these components so did not fully test that they are "active" when added back in like this, but from a security standpoint they should not be added in when the original installation did not include them.
- deleted the components from the jetty folder (left the "lib" folder, although it also has some log4j stuff that scares me)
- reran the lockdown exe and everything completed with the logs saying "successfully locked down"

Part 2, corrupt/defective MSSQL connections after running Lockdown executable.

1. After the lockdown is complete, go back to datasources and verify your test datasource. It will fail to connect. I did not take down the exact error, but it says the connection is timing out (but it fails instantly).

2. If you are playing along, to fix this - you have to roll back (go back to a snapshot if you have it) at #4 in part 1 above.

3. first install updater 11, test datasourse - still works

4. then install updater 12, test datasource - still works

5. then delete extra components from part 1 #7 above, then run lockdown exe.

6. test datasource, still works.

So, in summary (haha), there is something missing/corrupt when going directly to updater 12 from update 2 - that only fails/becomes obvious by running the lockdown exe.

AND - not to be missed, these updaters (and perhaps prior ones that I did not have the time or energy to verify) are adding in components that were specificaly excluded from the installer, opening up attack surface area unnecessarily.

Feedback, questions? let me know.

Thanks

Charlie Arehart · Answer

Thanks for the detailed post. While we wait for Adobe or the community to consider all you pose, I'll share some thoughts and what I could or could not confirm.

First, to save readers looking it up, the page 9 he refers to shows screenshots of the cf installer steps involving enabling things like the solr, pdfg, and .net services, and then things like the rds feature, the cf report feature (the servlets he refers to).

And FWIW I'll say I'd never noticed or heard of any cf updates adding back features you disabled there then (or later). I'm also not quite sure it's as you say, but let me explain. There is indeed at least something odd.

Intrigued, I decided to follow along at least part of the way on your trip. 🙂

And I'll note first that you mention that the installer you ran came with update 2. FWIW, there have been four generations of cf2021 installers, rhe original one, the one with update 2, a later one with update 5, and a recent one with update 11. Which one you get depends on where you find it, including different places on the Adobe site. I happened to run the installer that included update 5.

And I did as you, installing it with none of the optional additional services or servlets. With that, after the install I can confirm I had no cfusion/jetty folder.

Then I did update 12, and indeed it added the jetty folder, which included the wars for the additional services. That is certainly surprising.

But let's note that they were not deployed so they are not "re-enabled", which is a bit of a relief--though still a concern. I also did not find the servlets (rds, cfreport, etc) to be enabled. Did you, really?

Next, like you I did not take time to try intermediate updates, so it's not clear (yet) what update is adding that jetty folder. That's worthy of exploration, sure.

Finally, I also did not do the subsequent steps of adding a sql server dsn or running the autolockdown. It's late for me. Stil, I wanted to share what I'd done so far to help you (with some confirmation and clarification) and others (who may be following along). I hope especially someone from Adobe may chime in, but perhaps others will have thoughts.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded