Copy link to clipboard
Copied
Hello All,
Will try to document this without the wall of text that would fully explain everything. Anything seems unclear, please ask. Trying to save others from wasting some of the time I have.
Been working on setting up some new production servers, with Windows Server 2022 Standard and Coldfusion 2021 standard. Following the hardening guide as posted on Adobe website.
There are two main issues I have figured out, which may or may not be related under the hood.
Part 1, installing CF2021 and updates:
Part 2, corrupt/defective MSSQL connections after running Lockdown executable.
1. After the lockdown is complete, go back to datasources and verify your test datasource. It will fail to connect. I did not take down the exact error, but it says the connection is timing out (but it fails instantly).
2. If you are playing along, to fix this - you have to roll back (go back to a snapshot if you have it) at #4 in part 1 above.
3. first install updater 11, test datasourse - still works
4. then install updater 12, test datasource - still works
5. then delete extra components from part 1 #7 above, then run lockdown exe.
6. test datasource, still works.
So, in summary (haha), there is something missing/corrupt when going directly to updater 12 from update 2 - that only fails/becomes obvious by running the lockdown exe.
AND - not to be missed, these updaters (and perhaps prior ones that I did not have the time or energy to verify) are adding in components that were specificaly excluded from the installer, opening up attack surface area unnecessarily.
Feedback, questions? let me know.
Thanks
Copy link to clipboard
Copied
Thanks for the detailed post. While we wait for Adobe or the community to consider all you pose, I'll share some thoughts and what I could or could not confirm.
First, to save readers looking it up, the page 9 he refers to shows screenshots of the cf installer steps involving enabling things like the solr, pdfg, and .net services, and then things like the rds feature, the cf report feature (the servlets he refers to).
And FWIW I'll say I'd never noticed or heard of any cf updates adding back features you disabled there then (or later). I'm also not quite sure it's as you say, but let me explain. There is indeed at least something odd.
Intrigued, I decided to follow along at least part of the way on your trip. 🙂
And I'll note first that you mention that the installer you ran came with update 2. FWIW, there have been four generations of cf2021 installers, rhe original one, the one with update 2, a later one with update 5, and a recent one with update 11. Which one you get depends on where you find it, including different places on the Adobe site. I happened to run the installer that included update 5.
And I did as you, installing it with none of the optional additional services or servlets. With that, after the install I can confirm I had no cfusion/jetty folder.
Then I did update 12, and indeed it added the jetty folder, which included the wars for the additional services. That is certainly surprising.
But let's note that they were not deployed so they are not "re-enabled", which is a bit of a relief--though still a concern. I also did not find the servlets (rds, cfreport, etc) to be enabled. Did you, really?
Next, like you I did not take time to try intermediate updates, so it's not clear (yet) what update is adding that jetty folder. That's worthy of exploration, sure.
Finally, I also did not do the subsequent steps of adding a sql server dsn or running the autolockdown. It's late for me. Stil, I wanted to share what I'd done so far to help you (with some confirmation and clarification) and others (who may be following along). I hope especially someone from Adobe may chime in, but perhaps others will have thoughts.
Copy link to clipboard
Copied
Thanks for your reply Charlie, helps to know I'm not totally going crazy. By the way, many thanks for sharing your knowledge over the years. You've helped me many times.
You are right about the servlets - at least as far as I can tell. In my case I needed cfreport fuctionality, so that was the one that was left checked. I might have mispoke if I said I had found them all to be enabled - I was more concerned with the components showing up again and blocking the lockdown.
To me the SQL Server part is more concerning, and might actually explain/cause some of the other issues I've seen people mentioning here in the community.
Thanks again for your response and dedication to the community over the years.