Jar Files Vulnerabilities

Report · Oct 29, 2022

I have a war file that was created using CF2018 with all patches applied. This war file was then submitted to a company named Veracode for a static security scan. The results stated that there were over numerous jar files with what they rated as Very High to Medium vulnerablities. They included jar files such as jackson-databind-2.8.8.jar, tika-core-1.21.jar, bcprov-jdk15on-153.jar, jetty-io-9.4.12.v20180830.jar and xercesImpl.jar. I also tried this on a patched CF2021 instance with similar results. I obviously cannot just go into the cfusion/lib and replace these jar files with updated versions. Does ColdFusion really have that many vulnerablities? Any suggestions on how to deal with this would be greatly appreciated.

Report · Oct 29, 2022

It certainly has that many old jars, and as you say there's essentially nothing we can do but wait for Adobe to address them. They tend to drag their feet unless there's some urgency, so what you CAN do now is file a bug report about this, with those details, as they may not respond here. (Sometimes they do.)

If you DO file such a report (at tracker.adobe.com), please then share the ticket/url here, so others sharing the concern can add votes and be notified as Adobe or anyone responds there.

This is of course a larger problem than just this current situation. There really needs to be greater care and attention to ensure that such old libraries aren't allowed to linger for years, as has happened. Yes, it's a challenge, since cf includes SO many libraries and some DO intertwine. But with more and more attention being paid by orgs to ensure that apps deploed in their environments are updated and secure, it's long since time for Adobe to step up on this, or explain why they do not.

/Charlie (troubleshooter, carehart.org)

Report · Oct 31, 2022

I have a slightly different take on this than @Charlie Arehart although he is not wrong about the outcome. The problem with CF 2021 is the problem with any modern, mature enterprise software. It includes lots of things! Things that presumably people asked for at some time. Those things cause code dependencies. I think it's unrealistic to expect that a product is always going to use the very latest versions of each possible library, when all of those libraries have to be tested with someone's old production CF app.

Dave Watts, Eidolon LLC

Report · Oct 31, 2022

Fair enough, @Dave Watts. And for the record, as you may recall I struck essentially the same conciliatory tone in my reply on another thread last week on other outdated Java libraries, where I said:

But yeah, there's a LOT that's sad about the state of old libraries within CF, as I started out with in my longer comment.

To be clear, it's not as simple as "they should just offer the latest version" of everything they embed. They need to do substantial testing, and then deal with compat issues--which may become multiplied when one lib may somehow relate to another. The factorial permutations probably leave them feeling stuck.

But you're not wrong to complain. And at least with any one lib (like this jetty matter), sometimes it's just a matter of getting them to pay attention to it. Sad that it may take that approach, but CF is indeed a large monster. The new modular design of CF2021 (with the freedom to include packages/modules or not) only goes so far in addressing this issue.

But I also stand by what I'd said in my other reply here, above. Both sentiments can be held at once, or depending on what someone else may have said. Just as they have a balancing act in managing cf, we have one in managing our replies here. 🙂

/Charlie (troubleshooter, carehart.org)

Report · Oct 31, 2022

Dave thanks for your reply. My concern is not with the age of the jar file or it not being the latest version but with the fact that a scan has identified them as having a security vulnerability. For example the scan results given show very high and high vulnerablilities for jackson-databind-2.8.8.jar which is causing us to fail the scan.

Report · Nov 03, 2022

Yeah, I understand that concern. But, can anyone actually execute that security vulnerability? If your security scanner just looks at the names of the files on your filesystem and sees "jackson-databind-2.8.8.jar", you'll fail the scan, but it's not clear that CF would allow unsafe code to be sent to it in the first place. So, my recommendation is that in the short term, you try to execute a test case against it - which might be fairly hard - and tell your security people that it's a false positive if your test case doesn't trigger the vulnerability.

I realize this approach is less than optimal, to say the least. But it might be the best you can do, and it might delay the resolution for the failed scan.

Dave Watts, Eidolon LLC

Report · Oct 31, 2022

Charlie - thanks for your response.

Report · Mar 20, 2024

Nearly two years later... and this still seems to be a problem. I am struggling with the exact same issue as usmc-ret. As part of a very large financial company, we must pass Veracode scans before applications can be released. No exceptions. We are running CF2021 with the latest updates and still failing Veracode scans because there are over 21 third-party jars in CF that contain vulnerabilities. Sure, we could plead our case to our Security Operations team that these are false positives because of the way CF uses the jars... but that would never fly unless we could absolutely prove that for each one. Has anyone found a viable work around for this? Can any of these jars removed without breaking CF? Usmc-ret, how did you end up handling your situation back in 2022?

Report · Mar 20, 2024

I just followed Charlie's advice from 2022 and posted a bug report to Adobe for this. Bug Id: CF-4221204

Report · Mar 20, 2024

You ask, "Can any of these jars removed without breaking CF?", but you don't name what jars are at issue. And since he was referring to cf2018 (in Oct 2022), and you're referring to cf2021 (latest update), your lists would likely differ.

There are plenty of jars that Cf may use where just removing them would cause something to fail (not necessarily immediately).

And make 100% sure you're not "counting" jars found in the cfusion/hf-updates/[your updates]/backup folder as those are NOT used by cf: they WERE before that update. Can you remove them? Only as long as you ever would uninstall that update.

/Charlie (troubleshooter, carehart.org)

Report · Mar 20, 2024

I will check for the backup folder issue. Here are the exact jars that Veracode flagged:

bcprov-jdk15on-153.jar

commons-compress-1.19.jar
tika-core-1.21.jar
guava-15.0.jar
nekohtml-1.9.22.jar
batik-ext.jar
gson-2.8.6.jar
sanselan-0.97.jar
json-20090211.jar
tika-parsers-1.21.jar
antisamy-1.5.13.jar
commons-httpclient-3.1.jar
commons-net-3.6.jar
commons-codec.jar
protobuf-java-2.4.1.jar
xercesImpl.jar
apache-mime4j-core-0.8.2.jar
jersey-media-jaxb-2.23.1.jar

saaj.jar
spring-security-crypto-5.4.0.jar
jaxrpc.jar

Adobe Community

Jar Files Vulnerabilities