AnsweredAssumed Answered

ColdFusion detection false positive?

Question asked by Nicholas Sveen on Jan 31, 2020
Latest reply on Feb 26, 2020 by Buck Bohac

Anyone ever experience false positive detections for Adobe ColdFusion 2016?  

I have rarely experienced any false positives from Qualys in the few years i have used it, so I'm struggling to accept that it may in fact be a false positive.

 

A server I'm scanning is running ColdFusion 2016 update 13 (2016.0.13.316217), but Qualys is flagging every version below 13 as missing:

D:\Apps\ColdFusion2016\cfusion\lib\updates\chf20160012.jar is missing
D:\Apps\ColdFusion2016\cfusion\lib\updates\chf20160011.jar is missing
D:\Apps\ColdFusion2016\cfusion\lib\updates\chf20160010.jar is missing
D:\Apps\ColdFusion2016\cfusion\lib\updates\chf20160008.jar is missing
D:\Apps\ColdFusion2016\cfusion\lib\updates\chf20160007.jar is missing
D:\Apps\ColdFusion2016\cfusion\lib\updates\chf20160006.jar is missing

 

ColdFusion2016 updates are cumulative, so I would assume the version check would find the chf20160013.jar located on the server and dismiss all superceded QIDs.

Outcomes