Skip to main content
tommuck1
tommuck1
Inspiring
July 28, 2020
Question

Hotfix updates not showing in Nessus scan

  • July 28, 2020
  • 2 replies
  • 864 views

I applied all the hotfix updates 4-10 manually to ColdFusion 2018, but when we run the Nessus scanner, it's showing the server as unpatched. Looks like Nessus is looking in a different directory:

 Nessus detected the following unpatched instances :

Update directory : D:\ColdFusion2018\cfusion\lib\updates
Missing cumulative hotfix : chf2018000005.jar

 

It shows this error for each update, even though they were all applied through the hf-updates folder. Anyone run into this? Nessus is wrong, obviously.

Tom Muck

    This topic has been closed for replies.

    2 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    July 29, 2020

    Nessus is perhaps an x++ thinker. It expects to see 5 as the follow-up of 4, not 10.

    Is it possible to restart or even reinstall Nessus? That might reset its thinking.

    tommuck1
    tommuck1Author
    Inspiring
    July 29, 2020

    Thanks, we're looking into that angle as well, and I'll contact Nessus about it if we can't resolve. Customer expects a clean Nessus scan.

    Tom

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    July 29, 2020

    If you don't want to wait for the tool vendor and are willing to work around this in a potentially questionable way, you could just create a bunch of JAR files with the appropriate names using Java. I don't think they'll interfere with the real patches.

     

    jar -cf chf2018000005.jar ""

     

    Dave Watts, Eidolon LLC

    Dave Watts, Eidolon LLC
    tommuck1
    tommuck1Author
    Inspiring
    July 28, 2020

    From what I can gather, the automatic update button in the CF Admin puts the updates in the lib/updates folder, whereas the manual install puts them in hf-updates, and the filenames are different (hotfix-010-320417.jar vs. chf20180010.jar. I assume they are the same updates, but one is a cumulative, whereas the hf-updates are individual. 

     

    Tom

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    July 28, 2020

    Interesting challenge. There are a few things to consider here, a couple of which may contradict your understanding. Let's see if we can figure it all out.

     

    1) The CF updates (whether done manually or via the Admin) will indeed put the actual update jar (the one starting with chf) in the lib/updates folder. And each time you apply a new update, the previous update's chf jar (and any other ones added, such as may be provided by Adobe support for bug fixes) will be removed.

     

    1b) The jar's you see in the hf-updates are different: they are either pulled down by the automatic update mechanism or can be put there manually, and they are the actual installer for APPLYING the update (which again ends up putting the CHF into that lib/updates folder).

     

    2) FWIW, note as well that if you have more than one instance of CF (if running CF Enterprise, Dev or Trial, not available in Standard), then there will be both an hf-updates and a lib/updates folder in each instance. I know you said it refers to the cfusion/lib/updates. I just mention this in case it may help you or perhaps other readers who find this thread in the future.

     

    2b) You say it's complaining that chf2018000005.jar is missing. Of course, it could be that the Nessus you have is out of date (and not smart), if it may think "if I don't see 5, I don't care about anything later". Did you check it RIGHT after applying update 5? If so, then something is definitely amiss (if you literally saw that chf5 jar in that folder when it STILL reported it did not see it there).

     

    3) FWIW, note that you did NOT need to do "all the hotfix updates 4-10", if by that you mean you did them one at a time. It's sad, of course, because you may have felt you had to, if you tried 10 first and it failed, but found 4 worked. It was literally that you must do 4 (alone) before any others, so you could have done just 4 and 10. I leave that for other readers, or if you ever have to do it again. 🙂

     

    4) Finally, if it was not reporting SPECIFICALLY about that CF lib/updates folder, I might wonder if instead it was complaining that it was the JAVA version that CF is using that is out of date. Out of the box, CF2018's Java is indeed old. You can update to the latest Java 11, which is 11.0.7.

     

    Let us know how things 

    /Charlie (troubleshooter, carehart. org)
    tommuck1
    tommuck1Author
    Inspiring
    July 29, 2020

    Thanks, Charlie. There is definitely only one instance. I did not do the updates through the interface, because the machine is blocked from accessing the Internet. They were done manually from a command line. I did each one because I could not find any information on whether or not they were cumulative, and applying just the latest (which was 9 at the time) did not work.  I will ask our operations team about the Nessus installation.  I assume they are keeping it up to date.

     

    Tom

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices