Copy link to clipboard
Copied
I am trying to get approval to run CF11 in production environment, and scans keep flagging a Jetty vulnerability -- CVE-2011-4461 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461). It says the solution is to "upgrade Jetty to version 8.1.0.RC2 or newer."
Can I just upgrade Jetty and keep everything together ColdFusion? It doesn't seem like that would work or, I assume, Adobe would distribute a newer version of Jetty to begin with.
I am not using remote start/stop but am using Solr ... so, I don't think disabling Jetty altogether is an option.
Has anyone else run into this? Would you be willing to share your insight? Thank you.
Matt
Copy link to clipboard
Copied
Hi Matt,
Can you please drop an email to Adobe security team at "psirt@adobe.com" and cc "cf.install@adobe.com". We will look in, as of now there is no vulnerability in ColdFusion 11 but we can still look into this.
Thanks,
Priyank
Copy link to clipboard
Copied
Trustwave Vulerability scan as picked up jetty service as keeping our PCI compliance scan from passing.
Trustwave is claiming that I need jetty versions 6.1.22 or 7.0.0 have fixed the two following issues…
Jetty HTTP server “coolie Dump Servlett” escape sequence injection vulnerability CVE-2009-4611
Jetty HTTP server hash collision denial of service vulnerability CVE-2011-4461 .
When I look at the properties of jetty.exe I’m seeing version 14.0.0 ..
I've sent the above information to the two email address listed above.
Thanks
Jay Bietz