ColdFusion 2018 vulnerabilities

Thanks Priyank. Will do.

I just verified that we do have update 3 installed before we ran the scan. Please let me know if you need additional info.

I didn't installed node.js, did ColdFusion installed node.js?

Yes, ColdFusion installation does install Node.js. You can uninstall it.

Thanks,

Priyank

Thanks Priyank. Will it cause any other issues, we don't want any surprises. What do you suggest? and for Apache Tomcat Default Files, what will be the solution for that?

Hi,

I will check this and get back to you. There is no harm if you remove Node.js.

Thanks,

Priyank

Any updates on node.js?

Priyank,

Any updates on node.js? Our security team would not allow us to move forward until this vulnerabilities is taken care of. We have only 5 weeks to be out of ColdFusion11.

Thanks,

Ashraf

Thanks Charlie for your help. As per our organization policy, they do scan all servers. We don't have any mobile setup and we don't need node.js.

This is the result for scanner for tomcat.

Can we remove tomcat server also?

Thanks again for your help.

You can't remove Tomcat, because that's what actually runs ColdFusion. And as Charlie said, there aren't any actual files in the Tomcat webroot other than the ones you might put there yourself. But it is possible to have default error pages and index pages, because those aren't actually pages. You could edit the configuration files for Tomcat to customize these pages, I think, but my recommendation would simply be to block access to the built-in web server to the localhost address. If you do this, the scanner shouldn't be able to find anything.

Dave Watts, Eidolon LLC

Thanks Dave. I'm using IIS for CFADMIN. It is a good idea to block access to built-in server, so it wont show up on that report. Can you please provide steps ?

First, I would recommend not using IIS for the CF Administrator. This has always been a dangerous thing, and CF 2018 doesn't even let you do this any more! You should use the built-in web server to manage your server, because it's listening on a different port and doesn't have as much built-in functionality as IIS. Ideally, you should require a local console connection to manage CF, because that's very easy to restrict.

Second, that's a good question! I'm pretty sure that you can just add an "address" attribute to the Connector for HTTP/1.1 in /runtime/conf/server.xml within your CF service directory (for me, that would be c:\coldfusion2018\cfusion\runtime\conf\server.xml). Alternatively, you could block it with your host-based firewall, which is what I usually do myself on my own local workstations. I'll give the server.xml file a try and see if that works, when I have time.

Dave Watts, Eidolon LLC

Hi Ashraf,

Sorry about the delay. As Chalie and Dave mentioned that you can remove the Nodejs, if you are not doing any mobile development. However, if you are doing the mobile development, you can upgrade the Nodejs on your own and that shoudn't be a problem.

For Tomcat default files, it is a false positive by your scanner. Because of the Tomcat manager app, the scanner might be flagging it. But by default, the manager app won't be deployed unless it is moved to webapps directory in cfusion/runtime. If you are concerned about it you can remove the manager folder in cfusion/runtime directory.

Could you please let me know which scanner you are using here, is it Nessus?

Thanks,

Priyank Shrivastava

No problem.  I'll remove Nodejs using windows programs and features. Just wanted to confirm that I can go ahead and delete  E:\ColdFusion2018\cfusion\runtime\manager folder without any issue?

Yes, we are using Nessus scanner. Thanks for your help.