Jun 18, 2018

Nessus Security Scans can cause ColdFusion CPU spike

If your organization uses Nessus for security scans you might see an issue around the the jetty service ColdFusion uses for the PDFG Service.

Some ColdFusion accounts are reporting the same behavior after one of the scans is run against a CF server.  By looking at the IIS or Apache logs you can see clear indications that hundreds of erroneous requests made to the web server using to try and gain any penetration to the server.

Part of the scan must likely includes a port scan prior to the penetration test, which means it finds the jetty connector port.

Here is a forum thread which provides one of the initial reports of the issue.




I have since provided the this workaround to several customers and they have all seen the CPU spikes disappear.

Here is the edit you need to make:


  1. Go to \ColdFusion2016\cfusion\lib\ 
  2. Open "jetty.xml" and search for port "5500" on Connector line
  3. The Host attribute shows "0.0.0.0", please replace it with 127.0.0.1. 
  4. Save the changes and restart the respective ColdFusion Application service.

The 5500 port relates to a ColdFusion feature which allows you  to have the Server Monitor client communicate on its own ip\port.  It is unlikely you are using this feature so I would recommend to also uncheck this feature if you are not using it.


So if you are seeing CPU spikes, and you see them across multiple servers and across Dev and Test this could be your issue.  


No comments:

Post a Comment