Copy link to clipboard
Copied
Hi,
After scanning our new development ColdFusion 2018, we found following vulnerabilities: How can we fix this issues? Did ColdFusion installed node.js?
Thank you.
Apache Tomcat Default Files | The remote web server contains default files. | The default error page, default index page, example JSPs, and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself. |
Node.js - JavaScript run-time environment is affected by multiple vulnerabilities. | The version of Node.js installed on the remote host is 6.x prior to 6.15.0, 8.x prior to 8.14.0 or 10.x prior to 10.14.0 or 11.x prior to 11.3.0. Therefore, it is affected by multiple vulnerabilities. - OpenSSL Timing vulnerability in DSA signature generation (CVE-2018-0734). - OpenSSL Timing vulnerability in ECDSA signature generation (CVE-2018-0735). - OpenSSL Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407). - Debugger port 5858 listens on any interface by default CVE-2018-12120). - Denial of Service with large HTTP headers (CVE-2018-12121). - Slowloris HTTP Denial of Service (CVE-2018-12122). - Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123). - HTTP request splitting (CVE-2018-12116). |
Yes, go ahead and remove the folder. Thanks for sharing the scanner name.
Thanks,
Priyank
Copy link to clipboard
Copied
Hi,
Can you please apply the latest update 3 and then run the scan again.
Thanks,
Priyank
Copy link to clipboard
Copied
Thanks Priyank. Will do.
Copy link to clipboard
Copied
I just verified that we do have update 3 installed before we ran the scan. Please let me know if you need additional info.
I didn't installed node.js, did ColdFusion installed node.js?
Copy link to clipboard
Copied
Yes, ColdFusion installation does install Node.js. You can uninstall it.
Thanks,
Priyank
Copy link to clipboard
Copied
Thanks Priyank. Will it cause any other issues, we don't want any surprises. What do you suggest? and for Apache Tomcat Default Files, what will be the solution for that?
Copy link to clipboard
Copied
Hi,
I will check this and get back to you. There is no harm if you remove Node.js.
Thanks,
Priyank
Copy link to clipboard
Copied
Any updates on node.js?
Copy link to clipboard
Copied
Priyank,
Any updates on node.js? Our security team would not allow us to move forward until this vulnerabilities is taken care of. We have only 5 weeks to be out of ColdFusion11.
Thanks,
Ashraf
Copy link to clipboard
Copied
Node is there for an aspect of the mobile features added in CF11, if you choose to implement CF with the development profile. I have a post with more on that:
https://coldfusion.adobe.com/2017/11/hey-why-am-i-finding-cf-installed-node-js/
That said, it is interesting that you are doing security scanning on an implementation of CF with the "development" profile. That's of course less secure (by design) than either the production or production+secure profiles.
Even so, it's a shame to hear if on CF2018 u3 the node libraries are so old as to have those vulns. Adobe, that seems a priority to get fixed ASAP.
Finally, as for the "default tomcat files", can you get your security scanner to report what files it means? There are no jsps or example servlets in the cfusion/wwwroot by default, and that's the default webroot for CF.
Copy link to clipboard
Copied
Thanks Charlie for your help. As per our organization policy, they do scan all servers. We don't have any mobile setup and we don't need node.js.
This is the result for scanner for tomcat.
Apache Tomcat Default Files | The remote web server contains default files. | The default error page, default index page, example JSPs, and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself. | Delete the default index page and remove the example JSP and servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page. |
Can we remove tomcat server also?
Thanks again for your help.
Copy link to clipboard
Copied
You can't remove Tomcat, because that's what actually runs ColdFusion. And as Charlie said, there aren't any actual files in the Tomcat webroot other than the ones you might put there yourself. But it is possible to have default error pages and index pages, because those aren't actually pages. You could edit the configuration files for Tomcat to customize these pages, I think, but my recommendation would simply be to block access to the built-in web server to the localhost address. If you do this, the scanner shouldn't be able to find anything.
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
Thanks Dave. I'm using IIS for CFADMIN. It is a good idea to block access to built-in server, so it wont show up on that report. Can you please provide steps ?
Copy link to clipboard
Copied
First, I would recommend not using IIS for the CF Administrator. This has always been a dangerous thing, and CF 2018 doesn't even let you do this any more! You should use the built-in web server to manage your server, because it's listening on a different port and doesn't have as much built-in functionality as IIS. Ideally, you should require a local console connection to manage CF, because that's very easy to restrict.
Second, that's a good question! I'm pretty sure that you can just add an "address" attribute to the Connector for HTTP/1.1 in /runtime/conf/server.xml within your CF service directory (for me, that would be c:\coldfusion2018\cfusion\runtime\conf\server.xml). Alternatively, you could block it with your host-based firewall, which is what I usually do myself on my own local workstations. I'll give the server.xml file a try and see if that works, when I have time.
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
Hi Ashraf,
Sorry about the delay. As Chalie and Dave mentioned that you can remove the Nodejs, if you are not doing any mobile development. However, if you are doing the mobile development, you can upgrade the Nodejs on your own and that shoudn't be a problem.
For Tomcat default files, it is a false positive by your scanner. Because of the Tomcat manager app, the scanner might be flagging it. But by default, the manager app won't be deployed unless it is moved to webapps directory in cfusion/runtime. If you are concerned about it you can remove the manager folder in cfusion/runtime directory.
Could you please let me know which scanner you are using here, is it Nessus?
Thanks,
Priyank Shrivastava
Copy link to clipboard
Copied
No problem. I'll remove Nodejs using windows programs and features. Just wanted to confirm that I can go ahead and delete E:\ColdFusion2018\cfusion\runtime\manager folder without any issue?
Yes, we are using Nessus scanner. Thanks for your help.
Copy link to clipboard
Copied
Yes, go ahead and remove the folder. Thanks for sharing the scanner name.
Thanks,
Priyank