Anyone familiar with Jetty DoS vulnerability as it relates to CF?

Report · Jun 30, 2014

I am trying to get approval to run CF11 in production environment, and scans keep flagging a Jetty vulnerability -- CVE-2011-4461 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461). It says the solution is to "upgrade Jetty to version 8.1.0.RC2 or newer."

Can I just upgrade Jetty and keep everything together ColdFusion? It doesn't seem like that would work or, I assume, Adobe would distribute a newer version of Jetty to begin with.

I am not using remote start/stop but am using Solr ... so, I don't think disabling Jetty altogether is an option.

Has anyone else run into this? Would you be willing to share your insight? Thank you.

Matt

Report · Jun 30, 2014

Hi Matt,

Can you please drop an email to Adobe security team at "psirt@adobe.com" and cc "cf.install@adobe.com". We will look in, as of now there is no vulnerability in ColdFusion 11 but we can still look into this.

Thanks,

Priyank

Thanks,
Priyank Shrivastava

Report · Sep 26, 2014

Trustwave Vulerability scan as picked up jetty service as keeping our PCI compliance scan from passing.

Trustwave is claiming that I need jetty versions 6.1.22 or 7.0.0 have fixed the two following issues…

Jetty HTTP server “coolie Dump Servlett” escape sequence injection vulnerability CVE-2009-4611

Jetty HTTP server hash collision denial of service vulnerability CVE-2011-4461 .

When I look at the properties of jetty.exe I’m seeing version 14.0.0 ..

I've sent the above information to the two email address listed above.

Thanks

Jay Bietz

Adobe Community

Anyone familiar with Jetty DoS vulnerability as it relates to CF?