Can someone tell me what Jetty is? There is folder...
# cfml-generalt
TEMann
10/19/2022, 5:35 PMCan someone tell me what Jetty is? There is folder in the cfusion install name jetty. Inside of that is a JRE folder. Our security group states that it found an old JRE (1.10.0) in /jetty that is EOL. They are saying to upgrade it.
Trying to discover what it is. Why it is there. Shouldn’t it have been upgrade automatically with hotfixed? and most importantly - what is the best course of action ?
f
foundeo
10/19/2022, 5:35 PM
you have to update the JVM for jetty yourself, this is covered in the lockdown guide
foundeo
10/19/2022, 5:36 PM
Jetty is a java servlet container like tomcat, it is used to create an internal server in ColdFusion that is used by the “ColdFusion Add on Services” service
t
TEMann
10/19/2022, 5:36 PM@foundeo What is Jetty?
TEMann
10/19/2022, 5:36 PM@foundeo We must have been typing at the same time 😄
😁 1
f
foundeo
10/19/2022, 5:37 PM
so for example if you use cfhtml2pdf, the tag will send a request to the internal jetty server to generate the pdf, and return the result
t
TEMann
10/19/2022, 5:37 PMThank you!
TEMann
10/19/2022, 5:37 PMI’ll turn to the lock down guide.
f
foundeo
10/19/2022, 5:38 PM
yep, has info in there, including which tags use jetty, so you might just be able to turn if off if you don’t need it
t
TEMann
10/19/2022, 5:42 PMThank you!
TEMann
10/19/2022, 5:44 PMSo there is a JRE in ColdFusion root also. What is the differenct between that one and the only in /jetty?
f
foundeo
10/19/2022, 5:45 PM
both are just bundled with coldfusion install - I think possibly at one point they might have been different versions, you can point both CF and Jetty to a single JVM
t
TEMann
10/19/2022, 5:49 PMI think, and I am still verifying, that my predecessor did that. and he pointed it to a different version altogether. The CF admin for this instance declares that Java version is 11.0.14
TEMann
10/19/2022, 5:49 PMI am about to view the jetty script and see if he already modified it also
TEMann
10/19/2022, 6:01 PMI can’t find the jetty.lax file describe in the guide. 😞
b
bdw429s
10/19/2022, 6:20 PMTo be clear, the Jetty install inside the add on services is different than the Jetty install bundled in the actual CF install
bdw429s
10/19/2022, 6:20 PMAnd it's not clear which one you're referring to
bdw429s
10/19/2022, 6:21 PMAdobe's add on services, just as the htmltopdf wrapper do run on a Java app deployed to Jetty. But the actual ColdFusion server itself also contains the Jetty wars as well for the monitoring service which runs inside the JVM, but has a separate HTTP listener which is not tied to Tomcat. cc/ @foundeo
bdw429s
10/19/2022, 6:22 PMThe short answer is you really can't update Jetty. You need to reach out to Adobe and ask them to update it, assuming you're on a supported version of ColdFusion 😉
bdw429s
10/19/2022, 6:23 PMan old JRE (1.10.0)I find it hard to believe Java 1 was literally in your CF home. Or that even Jetty 1 was included (Both Sun Java and Jetty 1.0 came out in 1995 and were out of support before ColdFusion was ever even written in Java!)
bdw429s
10/19/2022, 6:24 PMCan you get specific information on what exact jars are tripping their radar?
bdw429s
10/19/2022, 6:24 PMIt's much more likely that were was a version of Log4j 1.x inside the Jetty home, which was actually the case recently.
bdw429s
10/19/2022, 6:24 PM@TEMann
t
TEMann
10/19/2022, 6:40 PMYeah brad. No Log4j (though I am having to deal with that on other non-CF servers)
e
Evil Ware
10/19/2022, 7:14 PMA testimate and selling point of Coldfusion is that some of the code is old enough to have kids in college and yet, remains as secure, useful, and viable as it did when it was created. Provided the engine itself is updated.