Skip to main content
C
ColdFusionSmurf
Inspiring
October 14, 2010
Answered

JRun weaknesses in the 9.0.1 Updater?

  • October 14, 2010
  • 2 replies
  • 1741 views

As part of our insurance, we're required to pass tests from SecurityMetrics.com that evaluate the security of our website.  We've passed the last several tests, but our most recent test failed yesterday.  The only major change we've made in the intervening time has been to run the 9.0.1 updater.

Our system is Windows 2008 64-bit with the 9.0.1 Updater and cumulative hotfix applied.

The error we're receiving is this:

"JRun JSESSIONID weakness Severity    Several vulnerabilities in JRun server could allow an intruder to view arbitrary files, execute arbitrary code, or list directories on the server."

As a solution it points me to abobe security fixes from 3 years ago which talk mostly about MX7 and 8 and tell me to run the JRun Updater 7.

So my question to everyone is what should I do about this?  Did Adobe update JRun in the updater and re-introduce some security holes it had previously fixed?  Should I roll back to a previous version of JRun?  And how would I do that?

    This topic has been closed for replies.
    Correct answer Dave Watts

    The most likely case is that their test is full of crap. It looks like it's identifying that there's a JSESSIONID generated by JRun, and therefore you may have previous JRun vulnerabilities on your server. It doesn't look like it's actually testing for those vulnerabilities.

    Dave Watts, CTO, Fig Leaf Software

    http://www.figleaf.com/

    http://training.figleaf.com/

    Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

    GSA Schedule, and provides the highest caliber vendor-authorized

    instruction at our training centers, online, or onsite.

    2 replies

    P
    peterd1965
    Participant
    January 4, 2011

    Not sure if this is related...

    We upgraded to CF 9 and had a security scan which shows multiple issues of "JRun Detailed Error Message Information Leak".
    We don't use .jsp, we have NO jsp files on our server.

    Scan probes non-existent pages like: https://www.oursite.com/%3f.jsp and they reports vulnerability as: "Undefined CVE, JRun Detailed Error Message Information Leak".

    Security company offers little advice to fix.

    Any thoughts?

    Thanks

    ilssac
    ilssac
    Inspiring
    January 4, 2011

    What do you get if you run that URL?

    I suspect from the description of the 'issue' that the service is complaining about the amount of information generated in the error page displayed to users who submit bad urls like that.

    There is probably someway to turn off, restrict, and|or modify what is displayed on error pages for such urls.  But I'm affraid I have never done anything like that with the JRun server.  I would start with some internet searching.

    P
    peterd1965
    Participant
    January 4, 2011

    If we run the URL we get back a 404 like:

    404

    /somefolder/?.jsp/

    java.io.FileNotFoundException: /somefolder/?.jsp/
    at jrun.servlet.file.FileServlet.service(FileServlet.java:356)
    at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
    at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
    at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
    at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
    at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
    at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
    at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
    at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
    at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)


    Similar 404 message if we manually visit a non-existent .aspx page (we don't have any .aspx) But security scan does not report any troubles with .aspx.

    One idea we are thinking is to adjust IIS by removing doc types we don't need like .jsp, .asp, .aspx.

    This place seems to have an answer but I was looking for a free good answer first:
    http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_25858705.html

    D
    Community Expert
    Dave WattsCommunity ExpertCorrect answer
    Community Expert
    October 14, 2010

    The most likely case is that their test is full of crap. It looks like it's identifying that there's a JSESSIONID generated by JRun, and therefore you may have previous JRun vulnerabilities on your server. It doesn't look like it's actually testing for those vulnerabilities.

    Dave Watts, CTO, Fig Leaf Software

    http://www.figleaf.com/

    http://training.figleaf.com/

    Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

    GSA Schedule, and provides the highest caliber vendor-authorized

    instruction at our training centers, online, or onsite.

    Dave Watts, Eidolon LLC
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices