ColdFusion 2021 Update 5 installed Jetty CVEs

Adding to Dave's helpful suggestion, I do realize that sec folks may not care about port exposure but instead the mere "existence" on a server of vulnerable libraries. 

So until Adobe (or anyone) may reply with more, I’ll offer some more thoughts (yep, it's a blog-length answer). Hope it may help you and others finding this in the future.

First I'll say that it’s not that surprising when some embedded library within CF has CVEs that reflect CF is using an old library. It may be months or years old, or it may be only weeks old. Either way, Adobe does not authorize us to update the libraries that underly CF.

(The only thing we’re authorized to update is the JVM that CF uses--and then only to the latest update of whatever Java version is supported by our CF version, which is Java 11 currently for CF2021, and so the latest is update 11.0.17 from last week.)

So what can you do? Well, I see 3 or 4 choices:

1) Of course you can hope Adobe will update the library in question.  That typically is done only with a CF update, or sometimes only with a refreshed installer. More on that in a moment.

2) You might find you can just uninstall the aspect of CF that relies on that jetty installation, assuming your apps don’t use the features that rely on that, which would be what’s referred to as the ColdFusion “add on service”, and which supports the CF features related to Solr (cfsearch, cfindex, cfcollection) and what they refer to as “pdfG” (which is about PDF generation using the CFHTMLtoPDF tag added in CF11—it is NOT related to the older CFDOCUMENT tag also used to generate PDFs, nor is it related to CFPDF or any of the pdf functions).

To be clear, someone would have chosen during the CF install to enable that add-on service, and it can be uninstalled, separately from CF. (On Windows, it literally appears as an option in “add or remove programs”.)

I'm not saying that uninstalling that will remove the jetty folder (and libraries), but once it's gone, there shold be no further need for that jetty folder. You could at least try stopping CF, renaming the jetty folder or moving it, and start CF, to see if it works. I've not tested that.

Again, maybe Adobe or others will chime in with more on that.

3) Someone might argue you could install your own newer Jetty server (not in the CF jetty folder but in some other one), and point CF to use that. That’s not as easy as it sounds. You’d then need to deploy the WAR files for those two services (for those who understand that) into that new Jetty—and it’s not even clear that Adobe would support running those war files into that newer Jetty version.

All this is indeed a pickle. There are just no good solutions.

4) Finally, I will add one last possibility to consider. Back to my point 1 above, note that Adobe DID offer a refreshed installer for CF2021 along with update 5 two weeks ago. They did not publicize it, so many don’t realize it. I have a blog post with news on that. https://www.carehart.org/blog/2022/10/17/cf2021_refreshed_installers_available_but_only_one_place_for_now.

To your issue here, you may ask, “so, are you saying that perhaps a fresh installation of CF with that refreshed installer might have different files/libraries underlying it than would an existing CF2021 that only had update 5 applied?” Yes, that is what I am saying. I mention that at the bottom of my blog post. No word from Adobe on that. Am I saying you should try replacing your current CF2021 install with? Well, I realize it’s not trivial (you’d have to uninstall the “old” CF2021, then install the new one. And you’d have to be sure to preserve all your admin settings, etc.)

What I would say instead is that you can install that new CF2021 refreshed installer on any machine you may have (even just temporarily), or in a vm, or in the Windows Sandbox if you are using Windows Pro or above. Then you could look at those files to see what they show. Or maybe someone else here can confirm. (I had done my testing on Windows Sandbox , so the install was lost when I closed the sandbox/restarted the machine. That’s where it has a negative compared to real VMs. The positive is that the sandbox starts quickly and uses the license of your Windows machine.)

Hope that helps, you or someone in the future here.

I don't really know the answer to this offhand. But my vague recollection is that Jetty doesn't have to be exposed to the outside world to work with ColdFusion. So I'd take a look at the ports used by Jetty to see if any of them are listening to requests using the machine's IP address instead of localhost or 127.0.0.1. If not, I'd just wait until a new patch drops.

Dave Watts, Eidolon LLC