Jetty Vulnerabilities in Coldfusion 11

December 18, 2018
Newbie 1 posts
Followers: 1 people
3

Jetty Vulnerabilities in Coldfusion 11

Newbie 1 posts
Followers: 1 people
December 18, 2018

Presently using jetty-server-9.0.7.v20131107.jar. Security scans have identified this jetty jar and a few other jetty jars to be a vulnerable.

I tried to change the host setting from 0.0.0.0 to 127.0.0.1 within jetty.xml.  I was thinking this maybe the issue within in the jetty jars the scan is having a problem with….

After the change, the jar failed the scan again.

I’ve tried replacing jetty-server-9.0.7.v20131107.jar and it’s dependencies with 9.4.11.v2018xxxx, 9.4.12.v2018xxxx,  9.4.13.v2018xxxx, and 9.4.14.v2018xxxx with no luck.

When trying to update the jar and it’s dependencies, ColdFusion 11 Server stops working. I’m unable to reach the CF admin UI. I see errors stating “Unable to initialize Monitoring service”.

Is there no way to update the jetty jars within ColdFusion 11 without the system not working?

Comments (3)
2019-01-14 15:47:40
2019-01-14 15:47:40

I was informed by Support that Adobe was working on an update to CF 11 to address the jetty issue. They didn’t give me an ETA on Update 16.

Like
2018-12-31 15:36:42
2018-12-31 15:36:42

I’ll reach out to them to see what suggestions they have.

 

Thanks

Like
2018-12-19 22:01:20
2018-12-19 22:01:20

I would be contacting CF Support on this one – CFsup@adobe.com

Like
Add your comment