Conflicting Information

Report · Apr 03, 2013

I'm a Information Security Analyst and currently I'm trying to strengthen our ColdFusion hardening standards and I have an issue that I need to understand.

I'm referencing two separate Adobe documents,

First document:

ColdFusion 9 Lockdown Guide

Recommends:

Page 16 of 35. Do not enable RDS. Click next...

Next document:

Security Advisory for ColdFusion

Release date: January 4, 2013

Last updated: January 16, 2013

Vulnerability identifier: APSA13-01

Recommends:

Setting the password for Remote Development Services (even if RDS is disabled)
Enabling password protection for RDS
Setting the Admin password and enabling password protection for Administrator

So, Adobe recommends, 1st, not to Enable RDS at all, but then recommends as a "mitigation", Enabling RDS (post installation) to setup a username and password, but the ColdFusion 9 Lockdown Guide "Do not enable RDS.".

Maybe as a "Remediation", Adobe should just remove RDS since a) they recommend keeping it disabled and b) it's such a vulnerability? Also, I would suggest that the recommendations from the Security Advisory (s) be incorporated into an updated ColdFusion 9 Lockdown Guide.

I'm sure this cannot be the first time they've heard this.

Don

Report · Apr 03, 2013

It doesn't say to "Enable RDS", it says "Enable password protection for RDS"

You can disable the RDS by commenting out the servlet mapping in web.xml, but you should still set passwords for RDS on the chance that it ever gets enabled on the server (someone restores the wrong XMl files or something). It is best to enable separate RDS usernames and passwords for this.

You should still keep RDS disabled in production, but this is an example of defense-in-depth. Even if RDS were to become enabled, it would alteast be password protected. These documents do not contradict each other.

Disabling RDS: http://helpx.adobe.com/coldfusion/kb/disabling-enabling-coldfusion-rds-production.html

Jason

Report · Apr 03, 2013

Can usernames and passwords be setup\configured without enabling RDS?

Report · Apr 03, 2013

Yes

jason

Report · Apr 03, 2013

Hi Jackson ,

Security Advisory says " Enable Password protection for RDS " and not to " Enable RDS " . We Recommend to Set a unique password for RDS and then Disable RDS for Production Environment .

After the latest security hotfix ASPB 13-03 released on Jan 15th , You can Disable and Enable RDS in the administrator UI itself .

Navigate to Security -> RDS

Turn on the Enable RDS Service ( So that you can set a unique password )

Set the Password

Turn off the Enable RDS Service

Regards ,

YASHAS RATTEHALLI

ADOBE ColdFusion Team

Report · Apr 04, 2013

The above mentioned steps are precautionary measures which you need to follow to prevent any potential hacks . However you are quite safe in production environment even if just RDS is disabled ( If your server is fully patched ) .

Regards ,

YASHAS RATTEHALLI

ADOBE ColdFusion Team