Skip to main content
wesleyw98558639
wesleyw98558639
Participant
September 5, 2018
Answered

CF10 Framework Vulnerability Question

  • September 5, 2018
  • 1 reply
  • 628 views

Received information that a vulnerability (CVE-2018-11776) has been identified for web-based applications with the Tomcat, Apache and Coyote frameworks. We are currently using ColdFusion 10,283111 and I am not sure how to verify if we are at risk or not.  Anyone know how I could get that information or find out if that vulnerability is applicable to CF10?

More info on the CVE:

CVE-2018-11776 is a remote code execution flaw that allows an attacker to gain control over Struts-based web applications.

    This topic has been closed for replies.
    Correct answer pete_freitag

    ColdFusion doesn't ship with the Struts framework. It is a popular java framework for building web applications, see: the Apache Struts project  -

    Do you have any custom java code? you could have potentially added Struts to your CF server with some customization, but that is not very common.

    My guess is that whatever scanner was used simply saw that you are running Tomcat and flagged the issue. I'd press back at the scanning vendor to see what their detection method is. If they are simply looking at Tomcat and flagging the issue that would yield tons of false positives.

    --

    Pete Freitag

    Foundeo Inc.

    1 reply

    pete_freitag
    pete_freitagCorrect answer
    Participating Frequently
    September 5, 2018

    ColdFusion doesn't ship with the Struts framework. It is a popular java framework for building web applications, see: the Apache Struts project  -

    Do you have any custom java code? you could have potentially added Struts to your CF server with some customization, but that is not very common.

    My guess is that whatever scanner was used simply saw that you are running Tomcat and flagged the issue. I'd press back at the scanning vendor to see what their detection method is. If they are simply looking at Tomcat and flagging the issue that would yield tons of false positives.

    --

    Pete Freitag

    Foundeo Inc.

    wesleyw98558639
    wesleyw98558639Author
    Participant
    September 5, 2018

    Pete,

    Thank you for the information, I will pass that along to the scanning vendor!  Would it be fair to say that if we are using IIS as a web server that is a safe indication that we are not using Apache Struts, therefore not at risk for this particular issue?  Or is there a way on the server I can verify that Apache Struts is not being used?

    Thanks,

    Wes

    pete_freitag
    pete_freitag
    Participating Frequently
    September 5, 2018

    Wes - you could still be using Struts through IIS, so that does not rule it out. But as I said struts is not something that ships with ColdFusion so it would not be there unless someone wrote an application using struts at your organization.

    One way to check would be to search your server for any jar file with "struts" in the name, eg: struts2-core-2.5.17.jar - another thing you can do is compile a list of jar files on your server, and compare that list with the list of jar files that ship with CF, any files not on the list would be ones that you may have added manually.

    Hope that helps!

    --

    Pete Freitag

    Foundeo Inc.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices