Skip to main content
S
Simon.edu
Known Participant
December 18, 2024
Question

ColdFusion CF2023 enterprise Tomcat vulnerability

  • December 18, 2024
  • 2 replies
  • 853 views

Greetings,

 

I have receiived the following vulnreabilty scan report from our security team for our CF2023 Enterprise on Tomcat.

 

 Installed version : 9.0.93
Fixed version     : 9.0.96


Plugin Description:
The version of Tomcat installed on the remote host is prior to 9.0.96.
 It is,
 therefore, affected by multiple vulnerabilities as referenced in the
 fixed_in_apache_tomcat_9.0.96_security-9 advisory.

 - Incorrect object re-cycling and re-use vulnerability in Apache
 Tomcat.
 Incorrect recycling of the request     and response used by HTTP/2
 requests
 could lead to request and/or response mix-up between users. This
 issue
 affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from
 10.1.27 through
 10.1.30, from 9.0.92     through 9.0.95. Users are recommended to
 upgrade to
 version 11.0.0, 10.1.31 or 9.0.96, which fixes the     issue. (CVE-
 2024-52317)

 - Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat
 is
 configured to use a custom Jakarta     Authentication (formerly
 JASPIC)
   ServerAuthContext component which may throw an exception during the
 authentication process without explicitly setting an HTTP status to
 indicate
 failure, the authentication     may not fail, allowing the user to
 bypass the
 authentication process. There are no known Jakarta     Authentication
 components
   that behave in this way. This issue affects Apache Tomcat: from
 11.0.0-M1
 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1
 through
 9.0.95. Users are recommended to     upgrade to version 11.0.0,
 10.1.31 or
 9.0.96, which fix the issue. (CVE-2024-52316) 

 

Do we have any ETA on upcoming security patch to resolve that issue? I have the latest CF patches installed.

 

I also have two questions from our security team that I would need help on. Greatly appreciate any input.

 

1.  Can you please confirm whether Tomcat is used as a front end for the user-facing parts of the application, or whether it is part of an administration portal?

 

2.  Can you let us know if the application uses the Tomcat Jakarta Authentication scheme, and in particular, the ServerAuthContext function? 

 

Regards,

Simon Litvak

UC Berkeley

This topic has been closed for replies.

2 replies

D
Community Expert
Dave WattsCommunity Expert
Community Expert
December 20, 2024

You are almost certainly not using JASPIC/Jakarta Authentication. As for whether you're using Tomcat as a front end, I would interpret front end as "web server". So, if you're using Apache HTTPD or IIS as your web server, I'd say you're not using Tomcat as a front end.

 

It might be possible for you to exclude Tomcat from security scans by careful firewall setup, blocking external access to Tomcat entirely.

 

Dave Watts, Eidolon LLC
S
Simon.eduAuthor
Known Participant
December 20, 2024

Thanks Dave and BKBK,

 
Appreciate your helpful input on the issue.
 
Regards,
Simon .
BKBK
Community Expert
BKBKCommunity Expert
Community Expert
December 24, 2024

Hi Simon,

ColdFusion 2023 is apparently not threatened by this. See the new thread on Apache Tomcat 9.0.98.

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
December 19, 2024

Hi Simon, thanks for the alert. The current fix for "important" issues is Apache Tomcat 9.0.98

S
Simon.eduAuthor
Known Participant
December 19, 2024

Thanks BKBK,

 

Is it accepted practice to update Apache Tomcat directly in CF2023 and not wait for official CF patch release?  I can request exception from my securityt team  and hopefully get it.

 

Regards,

Simon

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
December 20, 2024

Hi Simon,

Alas, no. It is not accepted practice to update Apache Tomcat directly in Coldfusion 2023 yourself. The reason is complexity. You don't know - and so cannot take care of - the many dependencies that must be satisfied when Tomcat is integrated in ColdFusion.

 

The Adobe team knows, of course. Which is why it is their responsibility to update the Apache Tomcat version. 

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices