Security Scan Missing ColdFusion Updates

Update:

Tenable support said they were aware of this issue and working on it when I contacted them yesterday. I think this was due to the existing ticket from @dwaynek27338072. Our scans were run again this morning and everything came out clean! Can you try your scans again @dwaynek27338072 and see if they are working now?

I'll add one more vote for the recommendations and comments from @BKBK @Charlie Arehart and @dwaynek27338072  that this probably an issue for Tenable  Support.

Tenable is now commercial closed source, but I have a hunch that the host-baed ColdFusion-related checks haven't changed much since the open source Nessus days, if at all.  After looking at some old Nessus code, it appears that this may be an issue with expected extra zeros used as padding for the ColdFusion version numbers and patch numbers.  This also appears to be likely since the real CHF is chf20210016.jar and the "missing file" is chf2021000006.jar.  

Some relevant Nessus code related to expected filenames is also preceeded by the following comment 🙂 :

# this is all undocumented and, at best, an educated guess

The same thing has happened at all our CF2021 sites.  We have a ticket open with Tenable and are waiting on their answer about the filename being looked for by the scanner.  

@Mark33214390u893 ,

I have yet another suggestion for you. Take this issue up with Tenable's Support team. You may also want to ask a question in the Tenable Community.

Let them know that you are on Update 16 of ColdFusion 2021, the most recent, which includes Update 6. Yet Tenable complains of a "Missing cumulative hotfix : chf2021000006.jar". Tenable should also verify whether there ever was a file called "chf2021000006.jar".

Mark, I think I see your problem as being something different than Pete or BKBK suggested (though there may well be value for you in what they offer, of course).

1) You said, "In the directory E:/cfusion/lib/updates/, I have all of the corresonding chf20210016.jar for each update."

Er, if you really mean what you're saying (you have ALL the chf jar files for EACH update in that folder), that's a problem (and indeed could be THE problem with your failing scans). 

2) To be clear, the CF update mechanism would never put multiple chf*.jar files there. It would only ever leave in there the chf*.jar file of whatever update you last applied. (Besides a tool like Tenable, CF itself could be confused terribly by there being multiple chf*.jar files, given how Java classloading works.)

3) So did you do that yourself? Perhaps you're working offline and felt you needed to "do things manually". (Even then, the technotes for each update discuss manual offline updates, and they do NOT suggest doing what you did.)

Or perhaps you read about doing it somewhere (in which case, please let us know so that we can suggest to the author that they elaborate on their motivation for thi ssuggestion).

4) And I suspect your teneble scanning may be simply looking AT that lib/updates folder, and if it somehow "finds first" one that is BELOW the version that it expects for whatever sec vuln it's assessing, that would be why it would complain (with what I'm sure seems a confusing message...but I don't think they ever fathomed that people would have more than one chf*.jar in that lib/updates folder, so don't intelligently identify and recommend how to solve that problem.)

Indeed, I'll say I'd never heard of anyone doing it before. So if this is indeed what you did, it's a good thing to get out in the open here, in case someone else may trip over it. 

5) Finally in removing the extra chf*.jar files, note that if you find any hf*.jar files in that lib/updates folder, consider carefully whether you should "just remove" those also. They may be "needed" for you.

Such an hf*.jar file is "patch" file (or "hotfix", whereas the chf*.jar files are "cumulative hotfix" files--which is what CF updates put in place).  These hf/hotfix/patch files are sometimes offered by Adobe as something that changes CF behavior that is NOT in offered in an "update". Such is the case for the recent patch to log implicit scope searches.

Anyway, don't remove such hf*.jar files you find there unless you know you do NOT need them.

Let us know please if all this solves things for you. (And while the scan may be happy if you merely REMOVE all but the jar of the update you last applied, 16 per your original note, you should RESTART CF after removing those other chf*.jar files, in case CF was being confused by them in a way not yet obvious to you/your users.)

I agree with Pete. ColdFusion's updates are cumulative. So it is surprising that the security scanner fails to work out that Update 16 includes Update 6. 

Anyway, what happens when you do the following:

• Include this flag among ColdFusion's JVM arguments:
  

  -Dcoldfusion.cfclient.enable=false 

  The flag was introduced in Update 6. It is set to false, assuming that you don't use cfclient (which you no longer should).
  You should also take a look at the APSB23-25 security bulletin to check whether there is something else you could add to appease the scanner.

• Restart ColdFusion.

After you make these changes, does the security scanner still complain?

The hotfixes are cumulative, so if you have update 16 chf20210016.jar it would include update 6 as well. Scanners like HackMyCF understand this, what security scanner is telling you this?