During our security testing, it was discovered that Adobe Connect may allow access to some Adobe Connect configuration console pages without requiring authentication. These pages are read-only but display information regarding the Adobe Connect Database account as well as other configuration pages. Without direct access to the database, the information cannot be accessed. However, we recommend following the below steps to control access to these pages.
An immediate workaround is provided below and this updated configuration change will be installed by default in the next version of Adobe Connect scheduled for release this summer.
Detailed steps for Adobe Connect On-Premise customers to fix this issue:
<!-- Remote Address Filter to allow console requests only locally --> <filter> <filter-name>consoleLocalhostOnly</filter-name> <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class> <init-param> <param-name>allow</param-name> <param-value>127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value> </init-param> </filter> <filter-mapping> <filter-name>consoleLocalhostOnly</filter-name> <url-pattern>/console/*</url-pattern> </filter-mapping> <!-- Remote Address Filter ends -->
Once the above steps are performed, the Adobe Connect console pages will only be accessible from the Adobe Connect server. If attempting to access the console pages remotely, users will see the following HTTP Status 403 error:
Q: I have an Adobe Connect account hosted by Adobe, do I need to take and action on this?
A: No, the Adobe Connect Operations team has taken the necessary steps to mitigate this vulnerability.
Q: It shows the console page and it allows me to change/save data to the page, is this changing my configuration/settings?
A: No. Even though the page does not show an error, there is no data updated in the database.
Q: Should I change my database password?
A: Yes, we recommend you change the database password after implementing the below fix.
Q: Will it require downtime to implement the changes to mitigate this vulnerability?
A: Yes, Adobe Connect services will need to be restarted after the necessary changes have been saved.