Skip to main content
ah_dc
ah_dc
Known Participant
March 18, 2019
Answered

ColdFusion 2018 vulnerabilities

  • March 18, 2019
  • 2 replies
  • 3078 views

Hi,

After scanning our new development ColdFusion 2018, we found following vulnerabilities: How can we fix this issues? Did ColdFusion installed node.js?

Thank you.

Apache Tomcat Default FilesThe remote web server contains default files.The default error page, default index page, example JSPs,
and/or example servlets are installed on the remote Apache
Tomcat server. These files should be removed as they may
help an attacker uncover information about the remote Tomcat
install or host itself.
Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.The version of Node.js installed on the remote host is
6.x prior to 6.15.0, 8.x prior to 8.14.0 or 10.x prior to 10.14.0 or
11.x prior to 11.3.0.
Therefore, it is affected by multiple vulnerabilities.

   - OpenSSL Timing vulnerability in DSA signature generation
     (CVE-2018-0734).

   - OpenSSL Timing vulnerability in ECDSA signature generation
     (CVE-2018-0735).

   - OpenSSL Microarchitecture timing vulnerability in ECC scalar
     multiplication (CVE-2018-5407).

   - Debugger port 5858 listens on any interface by default
     CVE-2018-12120).

   - Denial of Service with large HTTP headers (CVE-2018-12121).

   - Slowloris HTTP Denial of Service (CVE-2018-12122).

   - Hostname spoofing in URL parser for javascript protocol
     (CVE-2018-12123).

   - HTTP request splitting (CVE-2018-12116).

    This topic has been closed for replies.
    Correct answer Priyank Shrivastava.

    No problem.  I'll remove Nodejs using windows programs and features. Just wanted to confirm that I can go ahead and delete  E:\ColdFusion2018\cfusion\runtime\manager folder without any issue?

    Yes, we are using Nessus scanner. Thanks for your help.


    Yes, go ahead and remove the folder. Thanks for sharing the scanner name.

    Thanks,

    Priyank

    2 replies

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    March 19, 2019

    Node is there for an aspect of the mobile features added in CF11, if you choose to implement CF with the development profile. I have a post with more on that:

    https://coldfusion.adobe.com/2017/11/hey-why-am-i-finding-cf-installed-node-js/

    That said, it is interesting that you are doing security scanning on an implementation of CF with the "development" profile. That's of course less secure (by design) than either the production or production+secure profiles.

    Even so, it's a shame to hear if on CF2018 u3 the node libraries are so old as to have those vulns. Adobe, that seems a priority to get fixed ASAP.

    Finally, as for the "default tomcat files", can you get your security scanner to report what files it means? There are no jsps or example servlets in the cfusion/wwwroot by default, and that's the default webroot for CF.

    /Charlie (troubleshooter, carehart. org)
    ah_dc
    ah_dcAuthor
    Known Participant
    March 19, 2019

    Thanks Charlie for your help. As per our organization policy, they do scan all servers. We don't have any mobile setup and we don't need node.js.

    This is the result for scanner for tomcat.

    Apache Tomcat Default FilesThe remote web server contains default files.The default error page, default index page, example JSPs,
    and/or example servlets are installed on the remote Apache
    Tomcat server. These files should be removed as they may
    help an attacker uncover information about the remote Tomcat
    install or host itself.    		Delete the default index page and remove the example JSP and
    servlets. Follow the Tomcat or OWASP instructions to replace
    or modify the default error page.

    Can we remove tomcat server also?

    Thanks again for your help.

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    March 19, 2019

    You can't remove Tomcat, because that's what actually runs ColdFusion. And as Charlie said, there aren't any actual files in the Tomcat webroot other than the ones you might put there yourself. But it is possible to have default error pages and index pages, because those aren't actually pages. You could edit the configuration files for Tomcat to customize these pages, I think, but my recommendation would simply be to block access to the built-in web server to the localhost address. If you do this, the scanner shouldn't be able to find anything.

    Dave Watts, Eidolon LLC

    Dave Watts, Eidolon LLC
    Priyank Shrivastava.
    Community Manager
    Priyank Shrivastava.Community Manager
    Community Manager
    March 18, 2019

    Hi,

    Can you please apply the latest update 3 and then run the scan again.

    Thanks,

    Priyank

    Thanks, Priyank Shrivastava
    ah_dc
    ah_dcAuthor
    Known Participant
    March 18, 2019

    Thanks Priyank. Will do.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices