Skip to main content
Participant
October 9, 2017
Question

Is CF 10 impacted by Tomcat CVE-2017-12615 or CVE-2017-12617?

  • October 9, 2017
  • 3 replies
  • 893 views

Hi :

is Coldfusion 10 by the tomcat CVE-2017-12615 and or CVE-2017-12617 vulnerabilities?

Thank you in advance

ted

This topic has been closed for replies.

3 replies

Inspiring
October 11, 2017

In a stock ACF install, no, you should not be vulnerable to it. From the CVE(s):

 

>> When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false)

 

The default setting for the default servlet in ACF 11 on the readonly setting is true.  You can verify this by looking at /cfusion/runtime/conf/web.xml and looking for <servlet-name>default</servlet-name>. Unless it explicitly declares <readonly>false</readonly> then you are using the default value of true and not vulnerable to these exploits.

Legend
October 10, 2017

It is affected, in some cases where default settings are not used, however if you disable the HTTP PUT verb and also disable all non-essential file extensions, like .jsp, you could protect yourself.

Inspiring
October 10, 2017

It most likely will be as the latest update to CF 10 uses Tomcat 7.0.75.

CF 10 is end of life now so there will be no more updates to it.