Jetty Vulnerabilities in Coldfusion 2018

Victor, while Priyank considered your question, I have another, but more important: a suggestion (for you and Priyank to consider)

1) First, a minor but perhaps helpful point: you say that the vulnerability was found in CF2018 (which came out just this month), and you ask if CF “v13” will address it. They are no different. CF2018 the official name of the release, while the latter was an internal name that sometimes appears in places (like the Bug tracker).

2) Second and more important, moving on to your issue, I’ll note that there are indeed two jetty web server implementations underlying CF.

**And you may find that you can just close off the default open access to one of them (which in fact may no longer even be needed). **

One is for the sake of the CF “add-on service” (which supports Solr and the PDFG services/the CFHTMLTOPDF tag) and another was for sake of the CF Enterprise Server Monitor (which added an alternative web server it offered in CF9.0.1 and above).

In the case of the jetty for the add-on service, it’s controlled by a jetty.xml file in C:\ColdFusion2018\cfusion\jetty\etc\jetty.xml, while the one that was for the CF Enterprise Server monitor was (and still in) C:\ColdFusion2018\cfusion\lib\jetty.xml. In the former, it has a host field that limits it to listening on 127.0.0.1 (and a port like 8989) by default, while the latter has a host field that is left as 0.0.0.0 and so is listening for requests made to any ip address (and thus is “open”).

This has caused other problems, and there’s are resources from Adobe and others proposing “closing that hole” by changing that host (in the C:\ColdFusion2018\cfusion\lib\jetty.xml) to be 127.0.01:

https://forums.adobe.com/thread/2347245

We’ll see if Priyank might propose that as the same solution here, but I wanted to offer that for you (and him) to consider in the meantime.

3) Finally, I would also ask Adobe: why is that jetty implementation (the one that was added in 9.0.1 for the CF enterprise Server Monitor, listening at port 5500) even still there in CF2018, since the CF Server Monitor is removed in this release. (If anyone reading would ask me if this might still be needed for the new PMT which replaces the Server Monitor, I would say no, it doesn’t seem so, since the PMT runs as a separate service and has its own port, which is 9101 by default). And even if somehow this jetty (at 5500, by default) is still needed, does it REALLY still need to be left with the host of 0.0.0.0?

Victor, if you may get to try this and could report if it closes the vulnerability, that would be useful to hear, if Priyank confirms it’s no longer needed. That could help others who may find this thread in the future. (But I’ll understand if you may prefer to wait to hear from him first.)

/charlie

Hi,

We will check this and let you know. Please standby.

Thanks,

Priyank Shrivastava