Highlighted

Anyone familiar with Jetty DoS vulnerability as it relates to CF?

New Here ,
Jun 30, 2014

Copy link to clipboard

Copied

I am trying to get approval to run CF11 in production environment, and scans keep flagging a Jetty vulnerability -- CVE-2011-4461 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461). It says the solution is to "upgrade Jetty to version 8.1.0.RC2 or newer."


Can I just upgrade Jetty and keep everything together ColdFusion? It doesn't seem like that would work or, I assume, Adobe would distribute a newer version of Jetty to begin with.


I am not using remote start/stop but am using Solr ... so, I don't think disabling Jetty altogether is an option.


Has anyone else run into this? Would you be willing to share your insight? Thank you.


Matt

Views

494

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Anyone familiar with Jetty DoS vulnerability as it relates to CF?

New Here ,
Jun 30, 2014

Copy link to clipboard

Copied

I am trying to get approval to run CF11 in production environment, and scans keep flagging a Jetty vulnerability -- CVE-2011-4461 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461). It says the solution is to "upgrade Jetty to version 8.1.0.RC2 or newer."


Can I just upgrade Jetty and keep everything together ColdFusion? It doesn't seem like that would work or, I assume, Adobe would distribute a newer version of Jetty to begin with.


I am not using remote start/stop but am using Solr ... so, I don't think disabling Jetty altogether is an option.


Has anyone else run into this? Would you be willing to share your insight? Thank you.


Matt

Views

495

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jun 30, 2014 0
Adobe Employee ,
Jun 30, 2014

Copy link to clipboard

Copied

Hi Matt,

Can you please drop an email to Adobe security team at "psirt@adobe.com"  and cc "cf.install@adobe.com". We will look in, as of now there is no vulnerability in ColdFusion 11 but we can still look into this.

Thanks,

Priyank

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 30, 2014 0
Community Beginner ,
Sep 26, 2014

Copy link to clipboard

Copied

Trustwave Vulerability scan as picked up jetty service as keeping our PCI compliance scan from passing.

 

Trustwave is claiming that I need jetty versions 6.1.22 or 7.0.0 have fixed the two following issues… 

Jetty HTTP server “coolie Dump Servlett” escape sequence injection vulnerability   CVE-2009-4611 

Jetty HTTP server hash collision denial of service vulnerability  CVE-2011-4461 .

When I look at the properties of jetty.exe I’m seeing version 14.0.0 ..

I've sent the above information to the two email address listed above.


Thanks

Jay Bietz 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 26, 2014 0