JRun weaknesses in the 9.0.1 Updater?

Report · Oct 14, 2010

As part of our insurance, we're required to pass tests from SecurityMetrics.com that evaluate the security of our website. We've passed the last several tests, but our most recent test failed yesterday. The only major change we've made in the intervening time has been to run the 9.0.1 updater.

Our system is Windows 2008 64-bit with the 9.0.1 Updater and cumulative hotfix applied.

The error we're receiving is this:

"JRun JSESSIONID weakness Severity Several vulnerabilities in JRun server could allow an intruder to view arbitrary files, execute arbitrary code, or list directories on the server."

As a solution it points me to abobe security fixes from 3 years ago which talk mostly about MX7 and 8 and tell me to run the JRun Updater 7.

So my question to everyone is what should I do about this? Did Adobe update JRun in the updater and re-introduce some security holes it had previously fixed? Should I roll back to a previous version of JRun? And how would I do that?

Report · Oct 14, 2010

The most likely case is that their test is full of crap. It looks like it's identifying that there's a JSESSIONID generated by JRun, and therefore you may have previous JRun vulnerabilities on your server. It doesn't look like it's actually testing for those vulnerabilities.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on

GSA Schedule, and provides the highest caliber vendor-authorized

instruction at our training centers, online, or onsite.

Dave Watts, Eidolon LLC

Report · Jan 04, 2011

Not sure if this is related...

We upgraded to CF 9 and had a security scan which shows multiple issues of "JRun Detailed Error Message Information Leak".
We don't use .jsp, we have NO jsp files on our server.

Scan probes non-existent pages like: https://www.oursite.com/%3f.jsp and they reports vulnerability as: "Undefined CVE, JRun Detailed Error Message Information Leak".

Security company offers little advice to fix.

Any thoughts?

Thanks

Report · Jan 04, 2011

What do you get if you run that URL?

I suspect from the description of the 'issue' that the service is complaining about the amount of information generated in the error page displayed to users who submit bad urls like that.

There is probably someway to turn off, restrict, and|or modify what is displayed on error pages for such urls. But I'm affraid I have never done anything like that with the JRun server. I would start with some internet searching.

Report · Jan 04, 2011

If we run the URL we get back a 404 like:

404

/somefolder/?.jsp/

java.io.FileNotFoundException: /somefolder/?.jsp/
at jrun.servlet.file.FileServlet.service(FileServlet.java:356)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)

Similar 404 message if we manually visit a non-existent .aspx page (we don't have any .aspx) But security scan does not report any troubles with .aspx.

One idea we are thinking is to adjust IIS by removing doc types we don't need like .jsp, .asp, .aspx.

This place seems to have an answer but I was looking for a free good answer first:
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/ColdFusion/Q_25858705.html

Report · Jan 04, 2011

I suspect that your service is not liking seing all that jrun... and jrunx... debuging information. Great information for developers but also, sometimes, great information for hackers and probably should not be on public, produciton sites. In this particular case, I'm not sure any actual, useful server data is getting out. But the security scanning tool is probably just configure to complain about ANY server type info being displayed.

I can not give you any hints how, but I would be supremely suprised if there is not some way to configure the server to not spit out that information and just leave the error page at a simple 404 error mesage. Since this is the JRun server, the answer is probably in the JRun documentation rather then the ColdFusion documentation. But I am hopeful that it is out there somewhere for the right search terms.

Report · Jan 04, 2011

You can customize the JRun 404 handler, so that it doesn't display the stack trace (which is what the security scan is probably objecting to).

First, create an HTML page, say, 404.htm, in the root of your web application context.

Add:

<error-page>

<exception-type>java.io.FileNotFoundException</exception-type>

</error-page>

to:

/JRun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/web.xml and restart services.

Alternatively, you could let IIS handle 404s by enabling the "Verify that file exists" option in your ISAPI configuration. But this will break some functionality in CF: CFIMAGE, CFFORM, RDS, etc.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Dave Watts, Eidolon LLC

JRun weaknesses in the 9.0.1 Updater?

1 Correct answer