We're experiencing a strange ColdFusion 8 Application Server service restart nearly 1 time per hour for the past week. The only thing we can find in the CF logs that looks like it may be the cause is a constant logging of this error in coldfusion-out.log:
Content disposition corrupt: Content-Disposition: form-data; name=model
In the Windows Server Application log, we see the following three items when the service restart happens.
Faulting application name: jrun.exe, version: 184.108.40.206137, time stamp: 0x47d93af8
Faulting module name: ntdll.dll, version: 10.0.17763.2028, time stamp: 0xbf07433a
Exception code: 0xc0000005
Fault offset: 0x000a2af9
Faulting process id: 0x2284
Faulting application start time: 0x01d77e25459648a7
Faulting application path: C:\ColdFusion8\runtime\bin\jrun.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 9aa3cc7c-c480-40f7-b7b6-7a9383589c96
Faulting package full name:
Faulting package-relative application ID:
The ColdFusion 8 Application Server service for the "coldfusion" server is restarting.
The ColdFusion 8 Application Server service for the "coldfusion" server was started. PID is 3324.
The specs of the application server are as follows:
Hyper-V virtual machine
ColdFusion 8 Standard Edition - 32-bit
Windows Server 2019 x64
IIS 10 using the jrun_iis7.dll to support CF8 on newer editions of IIS / Windows Server
Java Runtime 6 Release 43
We attempted to get Fusion Reactor and SeeFusion running on this server, but the fact CF8 is 32-bit and the JRE is version 6 have made things difficult or impossible to install either service. We're currently awaiting a response from the SeeFusion team on the location of the version 4 download (version 5 is not compatible with JRE 6).
Any insight would be appreciated! If you require any further information on the application server, please ask. This is very disruptive as it causes all active user sessions to be destroyed.
Copy link to clipboard
I'm going to start by telling you what you don't want to hear. CF 8 is very, very old. It's no longer secure. And it certainly wasn't intended to run on a modern version of Windows & IIS. The same is true for Java 6. The realistic lifespan for enterprise software is about 3-5 years at best. So, you should seriously consider upgrading.
That said, it looks like you're running into a file upload issue. That's where you're most likely to see those Content-Disposition messages. Look into your code and see where those are, and see if you can what the client is trying to upload. This could actually be a denial of service attack of sorts, where clients are uploading files too large for CF and IIS to effectively handle. These uploads could be malicious or completely unintentional. You should be able to identify the IP addresses of the clients by looking directly in the IIS web logs. IIS also has a specific feature that should let you collect web "error logs" - I think this is called "request tracing".
Anyway, good luck!
Dave Watts, Eidolon LLC
Thanks, Dave. We did read up on what causes those Content Disposition errors. The only information that could be gleaned from that search is file uploads lacking a "name" attribute. That being said, we have potentially thousands of forms to investigate on this server and the CF/Windows logs do not indicate the source of the form itself. We'll look into the IIS logs and see if they provide any further information on the whereabouts of the form(s) being used.
I do agree that it looks like a DoS attack. It's not happening on an identically setup server, so it does look like a targeted attack.
As for the age of CF8/JRE 6, we're well aware of this shortcoming. We have the server locked down quite well, but are also actively setting up a replacement environment running on the latest version of Lucee.
I'll reply again once we've had a chance to investigate further.
Locating the offending form(s) is proving to be very difficult since all forms are generated dynamically at runtime by a custom form building routine.
We've scoured the various logs from IIS to no avail. Last item to look into would be the IIS request tracing. I've read that this can be quite daunting if you don't know what you're looking for.
Copy link to clipboard
UPDATE: We were able to get SeeFusion 4 and 5 to run on the server. The location of the .jar file was incorrect in our previous attempt. Currently monitoring the server, but unsure if this can do any more than monitor the server while it is up versus detect the problem causing the service restart.
Does anyone have experience with SeeFusion and monitoring for service restarts on Windows Server?
Does the ColdFusion instance have sufficient heap space and sufficient metaspace size?
What are the java.args settings in jvm.config? How much RAM is on the machine and how much total heap is allocated to all the CF instances?