Highlighted

ColdFusion 2018 vulnerabilities

New Here ,
Mar 18, 2019

Copy link to clipboard

Copied

Hi,

After scanning our new development ColdFusion 2018, we found following vulnerabilities: How can we fix this issues? Did ColdFusion installed node.js?

Thank you.

Apache Tomcat Default FilesThe remote web server contains default files.The default error page, default index page, example JSPs,
and/or example servlets are installed on the remote Apache
Tomcat server. These files should be removed as they may
help an attacker uncover information about the remote Tomcat
install or host itself.
Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.The version of Node.js installed on the remote host is
6.x prior to 6.15.0, 8.x prior to 8.14.0 or 10.x prior to 10.14.0 or
11.x prior to 11.3.0.
Therefore, it is affected by multiple vulnerabilities.

   - OpenSSL Timing vulnerability in DSA signature generation
     (CVE-2018-0734).

   - OpenSSL Timing vulnerability in ECDSA signature generation
     (CVE-2018-0735).

   - OpenSSL Microarchitecture timing vulnerability in ECC scalar
     multiplication (CVE-2018-5407).

   - Debugger port 5858 listens on any interface by default
     CVE-2018-12120).

   - Denial of Service with large HTTP headers (CVE-2018-12121).

   - Slowloris HTTP Denial of Service (CVE-2018-12122).

   - Hostname spoofing in URL parser for javascript protocol
     (CVE-2018-12123).

   - HTTP request splitting (CVE-2018-12116).

Yes, go ahead and remove the folder. Thanks for sharing the scanner name.

Thanks,

Priyank

Views

1.2K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

ColdFusion 2018 vulnerabilities

New Here ,
Mar 18, 2019

Copy link to clipboard

Copied

Hi,

After scanning our new development ColdFusion 2018, we found following vulnerabilities: How can we fix this issues? Did ColdFusion installed node.js?

Thank you.

Apache Tomcat Default FilesThe remote web server contains default files.The default error page, default index page, example JSPs,
and/or example servlets are installed on the remote Apache
Tomcat server. These files should be removed as they may
help an attacker uncover information about the remote Tomcat
install or host itself.
Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.The version of Node.js installed on the remote host is
6.x prior to 6.15.0, 8.x prior to 8.14.0 or 10.x prior to 10.14.0 or
11.x prior to 11.3.0.
Therefore, it is affected by multiple vulnerabilities.

   - OpenSSL Timing vulnerability in DSA signature generation
     (CVE-2018-0734).

   - OpenSSL Timing vulnerability in ECDSA signature generation
     (CVE-2018-0735).

   - OpenSSL Microarchitecture timing vulnerability in ECC scalar
     multiplication (CVE-2018-5407).

   - Debugger port 5858 listens on any interface by default
     CVE-2018-12120).

   - Denial of Service with large HTTP headers (CVE-2018-12121).

   - Slowloris HTTP Denial of Service (CVE-2018-12122).

   - Hostname spoofing in URL parser for javascript protocol
     (CVE-2018-12123).

   - HTTP request splitting (CVE-2018-12116).

Yes, go ahead and remove the folder. Thanks for sharing the scanner name.

Thanks,

Priyank

Views

1.2K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Mar 18, 2019 0
Adobe Employee ,
Mar 18, 2019

Copy link to clipboard

Copied

Hi,

Can you please apply the latest update 3 and then run the scan again.

Thanks,

Priyank

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 18, 2019 0
New Here ,
Mar 18, 2019

Copy link to clipboard

Copied

Thanks Priyank. Will do.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 18, 2019 0
New Here ,
Mar 18, 2019

Copy link to clipboard

Copied

I just verified that we do have update 3 installed before we ran the scan. Please let me know if you need additional info.

I didn't installed node.js, did ColdFusion installed node.js?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 18, 2019 0
Adobe Employee ,
Mar 18, 2019

Copy link to clipboard

Copied

Yes, ColdFusion installation does install Node.js. You can uninstall it.

Thanks,

Priyank

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 18, 2019 0
New Here ,
Mar 18, 2019

Copy link to clipboard

Copied

Thanks Priyank. Will it cause any other issues, we don't want any surprises. What do you suggest? and for Apache Tomcat Default Files, what will be the solution for that?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 18, 2019 0
Adobe Employee ,
Mar 18, 2019

Copy link to clipboard

Copied

Hi,

I will check this and get back to you. There is no harm if you remove Node.js.

Thanks,

Priyank

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 18, 2019 0
New Here ,
Mar 22, 2019

Copy link to clipboard

Copied

Any updates on node.js?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 22, 2019 0
New Here ,
Mar 26, 2019

Copy link to clipboard

Copied

Priyank,

Any updates on node.js? Our security team would not allow us to move forward until this vulnerabilities is taken care of. We have only 5 weeks to be out of ColdFusion11.

Thanks,

Ashraf

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 26, 2019 0
Adobe Community Professional ,
Mar 18, 2019

Copy link to clipboard

Copied

Node is there for an aspect of the mobile features added in CF11, if you choose to implement CF with the development profile. I have a post with more on that:

https://coldfusion.adobe.com/2017/11/hey-why-am-i-finding-cf-installed-node-js/

That said, it is interesting that you are doing security scanning on an implementation of CF with the "development" profile. That's of course less secure (by design) than either the production or production+secure profiles.

Even so, it's a shame to hear if on CF2018 u3 the node libraries are so old as to have those vulns. Adobe, that seems a priority to get fixed ASAP.

Finally, as for the "default tomcat files", can you get your security scanner to report what files it means? There are no jsps or example servlets in the cfusion/wwwroot by default, and that's the default webroot for CF.

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 18, 2019 1
New Here ,
Mar 19, 2019

Copy link to clipboard

Copied

Thanks Charlie for your help. As per our organization policy, they do scan all servers. We don't have any mobile setup and we don't need node.js.

This is the result for scanner for tomcat.

Apache Tomcat Default FilesThe remote web server contains default files.The default error page, default index page, example JSPs,
and/or example servlets are installed on the remote Apache
Tomcat server. These files should be removed as they may
help an attacker uncover information about the remote Tomcat
install or host itself.
Delete the default index page and remove the example JSP and
servlets. Follow the Tomcat or OWASP instructions to replace
or modify the default error page.

Can we remove tomcat server also?

Thanks again for your help.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 19, 2019 0
Adobe Community Professional ,
Mar 19, 2019

Copy link to clipboard

Copied

You can't remove Tomcat, because that's what actually runs ColdFusion. And as Charlie said, there aren't any actual files in the Tomcat webroot other than the ones you might put there yourself. But it is possible to have default error pages and index pages, because those aren't actually pages. You could edit the configuration files for Tomcat to customize these pages, I think, but my recommendation would simply be to block access to the built-in web server to the localhost address. If you do this, the scanner shouldn't be able to find anything.

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 19, 2019 0
New Here ,
Mar 19, 2019

Copy link to clipboard

Copied

Thanks Dave. I'm using IIS for CFADMIN. It is a good idea to block access to built-in server, so it wont show up on that report. Can you please provide steps ?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 19, 2019 0
Adobe Community Professional ,
Mar 19, 2019

Copy link to clipboard

Copied

First, I would recommend not using IIS for the CF Administrator. This has always been a dangerous thing, and CF 2018 doesn't even let you do this any more! You should use the built-in web server to manage your server, because it's listening on a different port and doesn't have as much built-in functionality as IIS. Ideally, you should require a local console connection to manage CF, because that's very easy to restrict.

Second, that's a good question! I'm pretty sure that you can just add an "address" attribute to the Connector for HTTP/1.1 in /runtime/conf/server.xml within your CF service directory (for me, that would be c:\coldfusion2018\cfusion\runtime\conf\server.xml). Alternatively, you could block it with your host-based firewall, which is what I usually do myself on my own local workstations. I'll give the server.xml file a try and see if that works, when I have time.

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 19, 2019 0
Adobe Employee ,
Mar 28, 2019

Copy link to clipboard

Copied

Hi Ashraf,

Sorry about the delay. As Chalie and Dave mentioned that you can remove the Nodejs, if you are not doing any mobile development. However, if you are doing the mobile development, you can upgrade the Nodejs on your own and that shoudn't be a problem.

For Tomcat default files, it is a false positive by your scanner. Because of the Tomcat manager app, the scanner might be flagging it. But by default, the manager app won't be deployed unless it is moved to webapps directory in cfusion/runtime. If you are concerned about it you can remove the manager folder in cfusion/runtime directory.

Could you please let me know which scanner you are using here, is it Nessus?

Thanks,

Priyank Shrivastava

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 28, 2019 0
New Here ,
Mar 28, 2019

Copy link to clipboard

Copied

No problem.  I'll remove Nodejs using windows programs and features. Just wanted to confirm that I can go ahead and delete  E:\ColdFusion2018\cfusion\runtime\manager folder without any issue?

Yes, we are using Nessus scanner. Thanks for your help.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 28, 2019 0
Adobe Employee ,
Mar 28, 2019

Copy link to clipboard

Copied

Yes, go ahead and remove the folder. Thanks for sharing the scanner name.

Thanks,

Priyank

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 28, 2019 0