ColdFusion 2021 Update 5 installed Jetty CVEs

Report · Oct 26, 2022

ColdFusion 2021 installed with the latest Update 5 has Jetty 9.4.31 installed inside of itself. I was working through another issue and was looking at the Jetty release notes when I started seeing multiple comments on resolved CVEs in the versions newer than the one in CF 2021. Most are Low and Moderate but two of them are classified as High.

CVE-2020-27223
CVE-2021-28163
CVE-2021-28164
CVE-2021-28165
CVE-2021-28169
CVE-2021-34428
CVE-2021-34429
CVE-2022-2047
CVE-2022-2048

Report · Oct 26, 2022

I don't really know the answer to this offhand. But my vague recollection is that Jetty doesn't have to be exposed to the outside world to work with ColdFusion. So I'd take a look at the ports used by Jetty to see if any of them are listening to requests using the machine's IP address instead of localhost or 127.0.0.1. If not, I'd just wait until a new patch drops.

Dave Watts, Eidolon LLC

Report · Oct 26, 2022

It is locked down to just the 127.0.0.1 but it's still running vulnerable versions that are 2 years old. Adobe should be doing better with their SBOMs and updating the components they use way more often than that if there are known vulnerabilities. Especially if you look at the Java 11.0.1.0 that's also inside of CF 2021 Update 5. Yes we run a seperate external Java version but this very vulnerable version of Java still sits on every CF server.

Report · Oct 26, 2022

Brentil, that 11.0.1 you refer to was the JVM implemented in the ORIGNAL CF 2021 installer from Nov 2020. That was indeed a mistake for them to include such an old one. That was fixed with the refreshed installers for CF2021 offered in Sept 2021 (which included also update 1, and changed that default JVM to 11.0.11, which was quite an improvement but already 5 months old by that time.) And of course they DO authorize us to update that JVM, which is easy enough to do (in most cases, though not all).

Since you wrote this comment to Dave, I added my other long comment below. And I mention there the "new" refreshed installers that Adobe offered with this update 5. Sadly, it also still includes only 11.0.11--which is now 17 months old. They should have at least included 11.0.16.1 which was current in the month before update 5 was released, while they were bulding those refreshed installers.

But yeah, there's a LOT that's sad about the state of old libraries within CF, as I started out with in my longer comment.

To be clear, it's not as simple as "they should just offer the latest version" of everything they embed. They need to do substantial testing, and then deal with compat issues--which may become multiplied when one lib may somehow relate to another. The factorial permutations probably leave them feeling stuck.

But you're not wrong to complain. And at least with any one lib (like this jetty matter), sometimes it's just a matter of getting them to pay attention to it. Sad that it may take that approach, but CF is indeed a large monster. The new modular design of CF2021 (with the freedom to include packages/modules or not) only goes so far in addressing this issue.

/Charlie (troubleshooter, carehart.org)

Report · Oct 26, 2022

Product development is kind of tough. Yes, you're right that these libraries should be updated more frequently. But ColdFusion has SO MANY libraries that it's like a dancing elephant. I think in some cases they can't just update components, they have to notify vendors or distributors. They also have to test all the things they're currently running in Jetty. You may think that's no big deal, but ... it is. Take it from someone dealing with that problem right now (on another platform fortunately!)

As for the vulnerable version of Java, if you're no longer using it for anything, you can delete it. I'd move it somewhere first just to see if anything breaks though. You don't have to worry about Java vulnerabilities via CF if CF isn't using that version of Java any more.

Dave Watts, Eidolon LLC

Report · Oct 26, 2022

The CF documentation states if you manually install the updater files you must use the inbuilt Java nad not use the external versions meaning you have to keep it around for those. Which that is how we do the updates and I know from trying to use external Java vs inbuilt it does cause problems with the updater GUI.

Report · Oct 26, 2022

Well, that kind of sucks. It doesn't mean you need to keep it on the machine all the time though, does it?

Dave Watts, Eidolon LLC

Report · Oct 26, 2022

Brentil, I ahve always regarded that statement (in the docs or wherever) as being simplistic. What they're getting it (I would assert) is that if CF is running with, say Java 11, they'd not want you running the update (manually, using java -jar) with Java 19, or Java 7...and someone could very well have that sort of combination.

So I know you say you "know from trying to use external java vs inbuilt it does cause problems with teh updater gui". I would love to hear more, as I've just not seen it. I can promise you that I have done over 1000 CF updates manually (since CF10 introduced the new update mechanism in 2012) that were NOT using the java that came with CF (not the exact SAME one, though yes the same VERSION, so Java 11.0.17 rather than the 11.0.1 that the original CF may have come with), and it's NEVER been a problem.

We may have to agree to disagree, or perhaps you or someone can share more on when exactly it is a problem. But I realize it's not your priority concern right now. Hope all the other thought I shared may help you there.

/Charlie (troubleshooter, carehart.org)

Report · Oct 27, 2022

On the Update pages since sometime in CF2016 they added a comment that's been there every time.

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

With CF2016 and CF2018 running the offline updater with at the time Java 8 JDK or JRE would not render the GUI of the offline installer. It would result in a commandline interface being shown instead which sometimes had funky formatting and didn't always show the correct information. Exiting and then using the bundled version would render the GUI correctly. I haven't tried using the extenral Java in CF2021 so it might work correctly there now but after years of it not working in the previous versions I stopped trying because the instructions to use the bundled are still there.

Report · Oct 27, 2022

Yeah, no. That's not been my experience. Perhaps what mattered was the KIND of jvm you were using, whether a JRE, jdk, or server JRE. I've always used a jdk (which I told cf to use as it's Java home), and I've then used that to run the jar. I'm almost positive this has never caused what you see. But I'll try to do some testing to confirm for sure, for any who care to know.

(And I do realize the verbiage is there. My contention was/is that it's simplisticly stated, especially given my experience.)

/Charlie (troubleshooter, carehart.org)

Report · Oct 27, 2022

We've only ever used the official Oracle JRE & JDKs, never tried the server JRE or any of the 3rd party Javas.

Report · Oct 27, 2022

Ok, and to be clear I'd never use or recommend 3rd party jvms, as Adobe only supports oracle's. So we're at least on the same page there. 🙂

/Charlie (troubleshooter, carehart.org)

Report · Oct 26, 2022

Adding to Dave's helpful suggestion, I do realize that sec folks may not care about port exposure but instead the mere "existence" on a server of vulnerable libraries.

So until Adobe (or anyone) may reply with more, I’ll offer some more thoughts (yep, it's a blog-length answer). Hope it may help you and others finding this in the future.

First I'll say that it’s not that surprising when some embedded library within CF has CVEs that reflect CF is using an old library. It may be months or years old, or it may be only weeks old. Either way, Adobe does not authorize us to update the libraries that underly CF.

(The only thing we’re authorized to update is the JVM that CF uses--and then only to the latest update of whatever Java version is supported by our CF version, which is Java 11 currently for CF2021, and so the latest is update 11.0.17 from last week.)

So what can you do? Well, I see 3 or 4 choices:

1) Of course you can hope Adobe will update the library in question. That typically is done only with a CF update, or sometimes only with a refreshed installer. More on that in a moment.

2) You might find you can just uninstall the aspect of CF that relies on that jetty installation, assuming your apps don’t use the features that rely on that, which would be what’s referred to as the ColdFusion “add on service”, and which supports the CF features related to Solr (cfsearch, cfindex, cfcollection) and what they refer to as “pdfG” (which is about PDF generation using the CFHTMLtoPDF tag added in CF11—it is NOT related to the older CFDOCUMENT tag also used to generate PDFs, nor is it related to CFPDF or any of the pdf functions).

To be clear, someone would have chosen during the CF install to enable that add-on service, and it can be uninstalled, separately from CF. (On Windows, it literally appears as an option in “add or remove programs”.)

I'm not saying that uninstalling that will remove the jetty folder (and libraries), but once it's gone, there shold be no further need for that jetty folder. You could at least try stopping CF, renaming the jetty folder or moving it, and start CF, to see if it works. I've not tested that.

Again, maybe Adobe or others will chime in with more on that.

3) Someone might argue you could install your own newer Jetty server (not in the CF jetty folder but in some other one), and point CF to use that. That’s not as easy as it sounds. You’d then need to deploy the WAR files for those two services (for those who understand that) into that new Jetty—and it’s not even clear that Adobe would support running those war files into that newer Jetty version.

All this is indeed a pickle. There are just no good solutions.

4) Finally, I will add one last possibility to consider. Back to my point 1 above, note that Adobe DID offer a refreshed installer for CF2021 along with update 5 two weeks ago. They did not publicize it, so many don’t realize it. I have a blog post with news on that. https://www.carehart.org/blog/2022/10/17/cf2021_refreshed_installers_available_but_only_one_place_fo....

To your issue here, you may ask, “so, are you saying that perhaps a fresh installation of CF with that refreshed installer might have different files/libraries underlying it than would an existing CF2021 that only had update 5 applied?” Yes, that is what I am saying. I mention that at the bottom of my blog post. No word from Adobe on that. Am I saying you should try replacing your current CF2021 install with? Well, I realize it’s not trivial (you’d have to uninstall the “old” CF2021, then install the new one. And you’d have to be sure to preserve all your admin settings, etc.)

What I would say instead is that you can install that new CF2021 refreshed installer on any machine you may have (even just temporarily), or in a vm, or in the Windows Sandbox if you are using Windows Pro or above. Then you could look at those files to see what they show. Or maybe someone else here can confirm. (I had done my testing on Windows Sandbox , so the install was lost when I closed the sandbox/restarted the machine. That’s where it has a negative compared to real VMs. The positive is that the sandbox starts quickly and uses the license of your Windows machine.)

Hope that helps, you or someone in the future here.

/Charlie (troubleshooter, carehart.org)

Report · Oct 26, 2022

I'll try doing the fresh installer and seeing what versions ship with it. It's just kind of ridiculouse these refreshed full installers would be running newer versions not upgraded into the existing running ones.

Report · Oct 26, 2022

It is ridiculous, if it's so. Again, it may not be so with respect to this. We can complain mightily about "all the problems with CF" (though some are not as grave as others might make them out to be, but that's a whole other discussion).

I'm just trying to help with this one problem you have, for now. 🙂

/Charlie (troubleshooter, carehart.org)

Report · Oct 26, 2022

I appreciate your insight. Part of the reason I was posting this was to make it visible to try to get Adobe to resolve it.

Report · Oct 26, 2022

https://tracker.adobe.com/#/home

... is your friend here. You can't guarantee that Adobe people will even see something you post here, and this isn't a formal reporting system. It's just a public help forum. Not that you'd have any reason to know any of that, so don't feel guilty about it.

Dave Watts, Eidolon LLC

Report · Oct 27, 2022

I made a security bug for it to hopefully get actual traction.

Report · Oct 28, 2022

I wish to share this Adobe ColdFusion Feature Request: https://tracker.adobe.com/#/view/CF-4215630.

Just in case there is a connection to the issue discussed here.

Report · Oct 28, 2022

The OP might want to find out where the JAVA_HOME environment variable goes. It's not used by CF as far as I know, and there's nothing stopping you from having multiple versions of Java installed. Alternatively, you might run this with a fully-qualified path. I'm not sure that'll make a difference, but here it is anyway.

C:\ColdFusion2021\jre\bin\java --version

Dave Watts, Eidolon LLC

Report · Oct 28, 2022

We do not have JAVA_HOME defined because we do have mutliple versions of Java installed for different applications. We do install the Oracle JDK and then point CF/Jetty to them from their own configs.

The bundled Java for us with CF is 11.0.1.0 since that is what was bundled with the original gold images we used to setup these systems.

Report · Oct 28, 2022

I had made a bug and there was traffic on it overnight for state changes but now it has vanished from the system. Hopefully they just made it private since it's security related?

ColdFusion 2021 Update 5 installed Jetty CVEs

1 Correct answer