Hotfix updates not showing in Nessus scan

Interesting challenge. There are a few things to consider here, a couple of which may contradict your understanding. Let's see if we can figure it all out.

1) The CF updates (whether done manually or via the Admin) will indeed put the actual update jar (the one starting with chf) in the lib/updates folder. And each time you apply a new update, the previous update's chf jar (and any other ones added, such as may be provided by Adobe support for bug fixes) will be removed.

1b) The jar's you see in the hf-updates are different: they are either pulled down by the automatic update mechanism or can be put there manually, and they are the actual installer for APPLYING the update (which again ends up putting the CHF into that lib/updates folder).

2) FWIW, note as well that if you have more than one instance of CF (if running CF Enterprise, Dev or Trial, not available in Standard), then there will be both an hf-updates and a lib/updates folder in each instance. I know you said it refers to the cfusion/lib/updates. I just mention this in case it may help you or perhaps other readers who find this thread in the future.

2b) You say it's complaining that chf2018000005.jar is missing. Of course, it could be that the Nessus you have is out of date (and not smart), if it may think "if I don't see 5, I don't care about anything later". Did you check it RIGHT after applying update 5? If so, then something is definitely amiss (if you literally saw that chf5 jar in that folder when it STILL reported it did not see it there).

3) FWIW, note that you did NOT need to do "all the hotfix updates 4-10", if by that you mean you did them one at a time. It's sad, of course, because you may have felt you had to, if you tried 10 first and it failed, but found 4 worked. It was literally that you must do 4 (alone) before any others, so you could have done just 4 and 10. I leave that for other readers, or if you ever have to do it again. 🙂

4) Finally, if it was not reporting SPECIFICALLY about that CF lib/updates folder, I might wonder if instead it was complaining that it was the JAVA version that CF is using that is out of date. Out of the box, CF2018's Java is indeed old. You can update to the latest Java 11, which is 11.0.7.

Let us know how things 

Thanks, Charlie. There is definitely only one instance. I did not do the updates through the interface, because the machine is blocked from accessing the Internet. They were done manually from a command line. I did each one because I could not find any information on whether or not they were cumulative, and applying just the latest (which was 9 at the time) did not work.  I will ask our operations team about the Nessus installation.  I assume they are keeping it up to date.

Tom

Also, Nessus is definitely complaining about the specific jar file. Error is:

Nessus detected the following unpatched instances :

Update directory : D:\ColdFusion2018\cfusion\lib\updates
Missing cumulative hotfix : chf2018000005.jar

Tom, about the specific file, I did acknowledge that in point 4 of my original reply.  (Your comment reads like you think I missed that reference.) 

Thanks, Charlie, I do see the information about it being cumulative now. Not sure how I missed it. And I did misread your point about the specific file. Our operations people will be happy about the cumulative nature of the updates. We just bought 5 or 6 licenses to upgrade our servers. Wish there was an installer that was up to date.

Tom

Amen to that. 🙂 

Fwiw, the technotes for each update have long indicated that they are cumulative, and also that the June 2019 update (for both cf2016 and 2018) must be applied first.

But I realize many never see the technotes. First, those who use the admin ui often miss or simply skip clicking the "read more" link offered there for each update. 

Second, as for those who apply updates manually, they would generally need to go to the technotes to see the url for the jar download url, so Adobe may assume they'd have to see that info.

But of course one could find the url for an update (and use its pattern for all updates) elsewhere, and so not realize or remember there is a technote with such info. 

That suggests a feature request: that the update ui (which appears when one does a manual update) could itself be modified to indicate both the cumulative nature of updates and point to the technote for that one. Would you be willing to file that at tracker.adobe.com, to make lemonade from these lemons? 🙂  If so, do share the url here for others to add votes. 

Thanks, we're looking into that angle as well, and I'll contact Nessus about it if we can't resolve. Customer expects a clean Nessus scan.

Tom

If you don't want to wait for the tool vendor and are willing to work around this in a potentially questionable way, you could just create a bunch of JAR files with the appropriate names using Java. I don't think they'll interfere with the real patches.

jar -cf chf2018000005.jar ""

Dave Watts, Eidolon LLC

Hi Dave, thanks for that. We actually did that earlier today with the latest update (10) and the scanner came back clean. It's obviously a problem with Nessus, but I'm not worried about it at this point because I know the servers are updated. I will send them a note about it. It seems their CF test is not accurate.

Tom