Security Scan Missing ColdFusion Updates

Report · Sep 27, 2024

Our team has some security compliance policies with some scans for our new ColdFusion server. The scan is reporting this:

The version of Adobe ColdFusion installed on the remote Windows host is prior to 2018.x Update 16 or 2021.x Update 6.
It is, therefore, affected by multiple vulnerabilities as referenced in the APSB23-25 advisory.

Update directory : E:\cfusion\lib\updates
Missing cumulative hotfix : chf2021000006.jar
Also note that to be fully protected the Java JDK must be patched along with applying the vendor patch.

We are currently running update 16, and I see the following in the admin portal under Sytem Information:

Server Details
Server Product ColdFusion (2021 Release)
Version 2021.0.16.330307
Tomcat Version 9.0.93.0
Edition Standard
Operating System Windows Server 2022
OS Version 10.0
Update Level E:/cfusion/lib/updates/chf20210016.jar
Adobe Driver Version 5.1.4 (Build 0001)
JVM Details
Java Version 11.0.24
Java Vendor Oracle Corporation
Java Vendor URL https://openjdk.java.net/

In the directory E:/cfusion/lib/updates/, I have all of the corresonding chf20210016.jar for each update. Does anyone know how I can get the scan to come back clean for our compliance?

Report · Sep 27, 2024

The hotfixes are cumulative, so if you have update 16 chf20210016.jar it would include update 6 as well. Scanners like HackMyCF understand this, what security scanner is telling you this?

Report · Sep 27, 2024

We are using Tenable.

Report · Sep 27, 2024

I agree with Pete. ColdFusion's updates are cumulative. So it is surprising that the security scanner fails to work out that Update 16 includes Update 6.

Anyway, what happens when you do the following:

Include this flag among ColdFusion's JVM arguments:
```
-Dcoldfusion.cfclient.enable=false 
```
The flag was introduced in Update 6. It is set to false, assuming that you don't use cfclient (which you no longer should).
You should also take a look at the APSB23-25 security bulletin to check whether there is something else you could add to appease the scanner.
Restart ColdFusion.

After you make these changes, does the security scanner still complain?

Report · Sep 30, 2024

Yes, the scan is still complaining. I think I will follow the advice of contacting Tenable directly about it.

Report · Sep 29, 2024

Mark, I think I see your problem as being something different than Pete or BKBK suggested (though there may well be value for you in what they offer, of course).

1) You said, "In the directory E:/cfusion/lib/updates/, I have all of the corresonding chf20210016.jar for each update."

Er, if you really mean what you're saying (you have ALL the chf jar files for EACH update in that folder), that's a problem (and indeed could be THE problem with your failing scans).

2) To be clear, the CF update mechanism would never put multiple chf*.jar files there. It would only ever leave in there the chf*.jar file of whatever update you last applied. (Besides a tool like Tenable, CF itself could be confused terribly by there being multiple chf*.jar files, given how Java classloading works.)

3) So did you do that yourself? Perhaps you're working offline and felt you needed to "do things manually". (Even then, the technotes for each update discuss manual offline updates, and they do NOT suggest doing what you did.)

Or perhaps you read about doing it somewhere (in which case, please let us know so that we can suggest to the author that they elaborate on their motivation for thi ssuggestion).

4) And I suspect your teneble scanning may be simply looking AT that lib/updates folder, and if it somehow "finds first" one that is BELOW the version that it expects for whatever sec vuln it's assessing, that would be why it would complain (with what I'm sure seems a confusing message...but I don't think they ever fathomed that people would have more than one chf*.jar in that lib/updates folder, so don't intelligently identify and recommend how to solve that problem.)

Indeed, I'll say I'd never heard of anyone doing it before. So if this is indeed what you did, it's a good thing to get out in the open here, in case someone else may trip over it.

5) Finally in removing the extra chf*.jar files, note that if you find any hf*.jar files in that lib/updates folder, consider carefully whether you should "just remove" those also. They may be "needed" for you.

Such an hf*.jar file is "patch" file (or "hotfix", whereas the chf*.jar files are "cumulative hotfix" files--which is what CF updates put in place). These hf/hotfix/patch files are sometimes offered by Adobe as something that changes CF behavior that is NOT in offered in an "update". Such is the case for the recent patch to log implicit scope searches.

Anyway, don't remove such hf*.jar files you find there unless you know you do NOT need them.

Let us know please if all this solves things for you. (And while the scan may be happy if you merely REMOVE all but the jar of the update you last applied, 16 per your original note, you should RESTART CF after removing those other chf*.jar files, in case CF was being confused by them in a way not yet obvious to you/your users.)

/Charlie (troubleshooter, carehart.org)

Report · Sep 30, 2024

After running the update to version 16, only chf20210016.jar is present. I tired grabbing the previous files just to see if it would make the scanner happy. I removed them after it had no effect. This solution was suggested by a member of the security team, so I figured I would give it a shot. What is interesting is that the scan has flagged that our server is missing every update, including the version 16 that is running. This is the case with just the chf20210016.jar after the update, and with the other .jar files added. We thought it was just checking that folder for each of the .jar files corresponding to each update., which led to that choice.

After the update to 16, all of the hf*.jar files currently in the cfusion\hfupdates folder adn we haven't done anything with them. We did do the update manually, ad per another thread I posted here, because updating through the admin portal always fails due to an access problem from our security setup. I am going to try to bring it up to Tenable's support team, as it seems to be a false positive on their end.

Report · Sep 30, 2024

I must say that it still sounds like you have something amiss. There may be other things you've done in your scramble to, "get things to work", when you struggled with the update in the cf admin.

I'll say this: if your work with Tenable does not bring resolution, I'm confident I could get things resolved for you, via a screenshare session. If I do not, you'd not have to pay me. And we may not even need more than an hour. We may even be done in as little as 15 mins, depending on what we find. And if so, that's indeed all you'd pay for. More at carehart.org/consulting.

I appreciate some may feel "you shouldn't have to pay to solve this problem". Look at it another way: you'd be paying for clarification on how to ensure you're able to implement updates going forward, not just "fixing this one problem". Plus you'd be resolving potential security vulnerabilities addressed by correct application of these updates, of course. That would seem valuable, making the small cost for assistance to pale in comparison. But your call, of course.

/Charlie (troubleshooter, carehart.org)

Report · Sep 30, 2024

I appreciate the help you have given here. All of our servers have backups before we make any changes. I have reverted all the changes I made when having issues with updating from cf admin before manually applying the update. I also have a seperate vm I made this morning that is a fresh install of 2021 and updated to 16 from the cf admin. I made noother changes to the server and scanned that system. It is still saying that that the installation is missing all updates. Based on the files names the scan is looking for, I believe this is a Tenable issue.

Report · Sep 30, 2024

I certainly hope that proves to be the case, for you and all concerned (that it's entirely some Tenable issue). If they deny it and you want to dig further, I'm still game (same deal: if I don't help, you won't pay for the time with me). I realize it may seem there's nothing I can do--and I don't have anything right now to suggest, but it wouldn't be the first time I was presented a seemingly "impossible mission". Ethan Hunt isn't the only member of the IMF, after all. 🙂

/Charlie (troubleshooter, carehart.org)

Report · Oct 04, 2024

I tried grabbing the previous files just to see if it would make the scanner happy. I removed them after it had no effect. This solution was suggested by a member of the security team, so I figured I would give it a shot.

This is a terrible suggestion. How would a member of the security team know what CF is going to do with additional files that were outdated by the new file?

Anyway, you should ask for a waiver from the security team, since you can prove that you're right and Tenable is wrong. You have a Tenable support ticket now, and hopefully they'll resolve that bug before your next scan.

Dave Watts, Eidolon LLC

Report · Sep 30, 2024

@Mark33214390u893 ,

I have yet another suggestion for you. Take this issue up with Tenable's Support team. You may also want to ask a question in the Tenable Community.

Let them know that you are on Update 16 of ColdFusion 2021, the most recent, which includes Update 6. Yet Tenable complains of a "Missing cumulative hotfix : chf2021000006.jar". Tenable should also verify whether there ever was a file called "chf2021000006.jar".

Report · Sep 30, 2024

The same thing has happened at all our CF2021 sites. We have a ticket open with Tenable and are waiting on their answer about the filename being looked for by the scanner.

Report · Oct 01, 2024

Tenable Support has replied: "I do see that the hotfix listed looks to have extra 0's, so it would appear that the plugin is looking 'chf2021000016.jar' when it should instead be looking for 'chf20210016.jar'. I noticed this is the case with the other ColdFusion plugins in the scan db as well. That said, this issue has been excalated to our Engineering Team for further investigation. I'll update the case as soon as there is more information to provide."

Report · Oct 01, 2024

Hi @dwaynek27338072 , thanks for sharing the update from Tenable Support. It is a relief to know that they are investigating how Tenable's plugin looks for the Jar-file-name.

Report · Oct 09, 2024

Good news, Tenable has updated their plugin. A scan was completed yesterday and confirmed 0 coldfusion vulnerabilities.

Report · Oct 09, 2024

I'm glad to hear that - and not all that surprised.

Dave Watts, Eidolon LLC

Report · Sep 30, 2024

I'll add one more vote for the recommendations and comments from @BKBK @Charlie Arehart and @dwaynek27338072 that this probably an issue for Tenable Support.

Tenable is now commercial closed source, but I have a hunch that the host-baed ColdFusion-related checks haven't changed much since the open source Nessus days, if at all. After looking at some old Nessus code, it appears that this may be an issue with expected extra zeros used as padding for the ColdFusion version numbers and patch numbers. This also appears to be likely since the real CHF is chf20210016.jar and the "missing file" is chf2021000006.jar.

Some relevant Nessus code related to expected filenames is also preceeded by the following comment 🙂 :

# this is all undocumented and, at best, an educated guess

Report · Oct 01, 2024

... and the "missing file" is chf2021000006.jar.

By @Brian__

As I said earlier, I suspect that there never even was a file called "chf2021000006.jar". ColdFusion would have named a hot-fix as "chf20210006.jar", but unlikely as"chf2021000006.jar". So, that is a clue pointing to a Tenable error right there.

You should get the folks at Tenable to look into this. In any case, it would be a good idea to post the issue for discussion in the Tenable Community. I would have done so myself. But I am unable to log in, as I am not a Tenable client.

Report · Oct 02, 2024

Update:

Tenable support said they were aware of this issue and working on it when I contacted them yesterday. I think this was due to the existing ticket from @dwaynek27338072. Our scans were run again this morning and everything came out clean! Can you try your scans again @dwaynek27338072 and see if they are working now?

Report · Oct 02, 2024

Thanks for the update, @Mark33214390u893 . Great news!

Report · Oct 03, 2024

... I think this was due to the existing ticket from @dwaynek27338072. Our scans were run again this morning and everything came out clean! Can you try your scans again @dwaynek27338072 and see if they are working now?

By @Mark33214390u893

Do you now have a clean scan, @dwaynek27338072 ?

Report · Oct 03, 2024

Appearently our plugins haven't updated, IT says the findings are still there.

Adobe Community

Security Scan Missing ColdFusion Updates

2 Correct answers