Highlighted

Jetty Vulnerabilities in Coldfusion 2018

New Here ,
Jul 24, 2018

Copy link to clipboard

Copied

During a vulnerability scan, my ColdFusion 2018 server was identified as having several Eclipse Jetty vulnerabilities.  Will CF v13 be updated to address these?  Or, will I have to manually upgrade Jetty -- and if so, how?

The host is installed with Eclipse Jetty Server and is prone to information disclosure vulnerability.
Installed version: 9.3.6.20151106
Fixed version:     9.3.24.v20180605

Product: cpe:/a:eclipse:jetty:9.3.6.20151106
Method: Jetty Version Detection (OID: 1.3.6.1.4.1.25623.1.0.800953)
Log: View details of product detection

CVE: CVE-2018-12536
CERT: DFN-CERT-2018-1285
Other: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670
https://www.eclipse.org/jetty/

------ and ------

The host is installed with Eclipse Jetty Server and is prone to security bypass vulnerability.
Installed version: 9.3.6.20151106
Fixed version:     9.3.24.v20180605

Product: cpe:/a:eclipse:jetty:9.3.6.20151106
Method: Jetty Version Detection (OID: 1.3.6.1.4.1.25623.1.0.800953)
Log: View details of product detection

CVE: CVE-2017-7658
CERT: DFN-CERT-2018-1285
Other: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
https://www.eclipse.org/jetty/

Views

667

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Jetty Vulnerabilities in Coldfusion 2018

New Here ,
Jul 24, 2018

Copy link to clipboard

Copied

During a vulnerability scan, my ColdFusion 2018 server was identified as having several Eclipse Jetty vulnerabilities.  Will CF v13 be updated to address these?  Or, will I have to manually upgrade Jetty -- and if so, how?

The host is installed with Eclipse Jetty Server and is prone to information disclosure vulnerability.
Installed version: 9.3.6.20151106
Fixed version:     9.3.24.v20180605

Product: cpe:/a:eclipse:jetty:9.3.6.20151106
Method: Jetty Version Detection (OID: 1.3.6.1.4.1.25623.1.0.800953)
Log: View details of product detection

CVE: CVE-2018-12536
CERT: DFN-CERT-2018-1285
Other: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670
https://www.eclipse.org/jetty/

------ and ------

The host is installed with Eclipse Jetty Server and is prone to security bypass vulnerability.
Installed version: 9.3.6.20151106
Fixed version:     9.3.24.v20180605

Product: cpe:/a:eclipse:jetty:9.3.6.20151106
Method: Jetty Version Detection (OID: 1.3.6.1.4.1.25623.1.0.800953)
Log: View details of product detection

CVE: CVE-2017-7658
CERT: DFN-CERT-2018-1285
Other: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
https://www.eclipse.org/jetty/

Views

668

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jul 24, 2018 0
Adobe Employee ,
Jul 24, 2018

Copy link to clipboard

Copied

Hi,

We will check this and let you know. Please standby.

Thanks,

Priyank Shrivastava

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 24, 2018 0
Adobe Community Professional ,
Jul 25, 2018

Copy link to clipboard

Copied

Victor, while Priyank considered your question, I have another, but more important: a suggestion (for you and Priyank to consider)

1) First, a minor but perhaps helpful point: you say that the vulnerability was found in CF2018 (which came out just this month), and you ask if CF “v13” will address it. They are no different. CF2018 the official name of the release, while the latter was an internal name that sometimes appears in places (like the Bug tracker).

2) Second and more important, moving on to your issue, I’ll note that there are indeed two jetty web server implementations underlying CF.

**And you may find that you can just close off the default open access to one of them (which in fact may no longer even be needed). **

One is for the sake of the CF “add-on service” (which supports Solr and the PDFG services/the CFHTMLTOPDF tag) and another was for sake of the CF Enterprise Server Monitor (which added an alternative web server it offered in CF9.0.1 and above).

In the case of the jetty for the add-on service, it’s controlled by a jetty.xml file in C:\ColdFusion2018\cfusion\jetty\etc\jetty.xml, while the one that was for the CF Enterprise Server monitor was (and still in) C:\ColdFusion2018\cfusion\lib\jetty.xml. In the former, it has a host field that limits it to listening on 127.0.0.1 (and a port like 8989) by default, while the latter has a host field that is left as 0.0.0.0 and so is listening for requests made to any ip address (and thus is “open”).

This has caused other problems, and there’s are resources from Adobe and others proposing “closing that hole” by changing that host (in the C:\ColdFusion2018\cfusion\lib\jetty.xml) to be 127.0.01:

https://forums.adobe.com/thread/2347245

We’ll see if Priyank might propose that as the same solution here, but I wanted to offer that for you (and him) to consider in the meantime.

3) Finally, I would also ask Adobe: why is that jetty implementation (the one that was added in 9.0.1 for the CF enterprise Server Monitor, listening at port 5500) even still there in CF2018, since the CF Server Monitor is removed in this release. (If anyone reading would ask me if this might still be needed for the new PMT which replaces the Server Monitor, I would say no, it doesn’t seem so, since the PMT runs as a separate service and has its own port, which is 9101 by default). And even if somehow this jetty (at 5500, by default) is still needed, does it REALLY still need to be left with the host of 0.0.0.0?

Victor, if you may get to try this and could report if it closes the vulnerability, that would be useful to hear, if Priyank confirms it’s no longer needed. That could help others who may find this thread in the future. (But I’ll understand if you may prefer to wait to hear from him first.)

/charlie

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 25, 2018 1
New Here ,
Jul 26, 2018

Copy link to clipboard

Copied

Charlie, thanks for the reply and link to the Jetty thread.

I modified c:\coldfusion2018\cfusion\jetty\etc\jetty.xml and changed the host from 0.0.0.0 to 127.0.0.1 and restarted the CF service.  Ran the vulnerability scan and this time it didn't complain about Jetty.

I'd also like to know from Adobe, if this isn't required why is it installed?  And, if required, why the are using an old version from 2015?

Thanks for the suggestion!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 26, 2018 0
Adobe Employee ,
Jul 26, 2018

Copy link to clipboard

Copied

Hi Victor\Charlie,

Thank you for your patience with me. We had a discussion over this and we will be taking care of this in upcoming updates.

If you any query, feel free to share it.

Thanks,

Priyank Shrivastava

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 26, 2018 0