Overview

During our security testing, it was discovered that Adobe Connect may allow access to some Adobe Connect configuration console pages without requiring authentication.  These pages are read-only but display information regarding the Adobe Connect Database account as well as other configuration pages.  Without direct access to the database, the information cannot be accessed. However, we recommend following the below steps to control access to these pages.

Solution

An immediate workaround is provided below and this updated configuration change will be installed by default in the next version of Adobe Connect scheduled for release this summer.

Workaround

Detailed steps for Adobe Connect On-Premise customers to fix this issue:

  • On each Adobe Connect server, edit file \{Connect install folder}\appserv\web\WEB-INF\web.xml
  • The following filter needs to be inserted into the web.xml file so that the console pages will only load from the localhost.
    • The below code block should be insterted before the current (commented out) NtlmAutenticationFilter is your existing web.xml file.
<!-- Remote Address Filter to allow console requests only locally -->   
  <filter> 
      <filter-name>consoleLocalhostOnly</filter-name> 
      <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class> 
      <init-param> 
        <param-name>allow</param-name> 
        <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value> 
      </init-param> 
    </filter> 
    <filter-mapping> 
      <filter-name>consoleLocalhostOnly</filter-name> 
      <url-pattern>/console/*</url-pattern> 
    </filter-mapping> 
<!-- Remote Address Filter ends --> 
  • After copy/pasting the above into the web.xml file, save the file
  • Ensure to perform the above steps on every Adobe Connect server in the cluster.
  • Restart the Adobe Connect services
  • Change the Adobe Connect Database password. (optional, but recommended)

Once the above steps are performed, the Adobe  Connect console pages will only be accessible from the Adobe Connect server.  If attempting to access the console pages remotely, users will see the following HTTP Status 403 error: 

screen_shot_2018-05-03at80240am

FAQ:

Q: I have an Adobe Connect account hosted by Adobe, do I need to take and action on this?

A: No, the Adobe Connect Operations team has taken the necessary steps to mitigate this vulnerability.

 

Q: It shows the console page and it allows me to change/save data to the page, is this changing my configuration/settings?

A:  No.  Even though the page does not show an error, there is no data updated in the database.

 

Q:  Should I change my database password?

A:  Yes, we recommend you change the database password after implementing the below fix.

 

Q: Will it require downtime to implement the changes to mitigate this vulnerability?

A:  Yes, Adobe Connect services will need to be restarted after the necessary changes have been saved.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy