Skip to main content
M
miki
Known Participant
March 31, 2023
Question

Is CF 2021 affected by the following Tomcat 9 CVEs?

  • March 31, 2023
  • 1 reply
  • 1167 views

I see that patch 4 upgrades tomcat to Tomcat 9.0.60 but i have a current nessus scan in hand of my CF2021patch 6 server and it contains one critical severity and 3 high severity vulnerabilities in Tomcat 9 as follows:

 

Plugin

Plugin Name

Severity

CVE

173251

Apache Tomcat 9.0.0.M1 < 9.0.72

Critical

CVE-2023-28708

166906

Apache Tomcat 9.0.0-M1 < 9.0.68 Request Smuggling Vulnerability

High

CVE-2022-42252

169459

Apache Tomcat 9.0.40 < 9.0.69

High

CVE-2022-45143

171657

Apache Tomcat 9.0.0.M1 < 9.0.71

High

CVE-2023-24998

 

I searched the forum for posts about these, but mostly what i got was 2016 CVEs and Tomcat 9.0.60. 

 

I know that in some cases a CVE might not affect CF because the tomcat functionality isn't being used, so I am wondering if that is true for these in particular or if there is a way to mitigate these while Adobe works on integrating newer tomcats into CF patches.

 

We are running CF2021 patch 6 on windows 2019 with IIS 10

 

Thanks

    This topic has been closed for replies.

    1 reply

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    April 1, 2023

    Yes, we are vulnerable. No, we cannot update the Tomcat within cf. Not heard any discussion of whether the vulns are something we should NOT be concerned about. Sad that we have to wait so long for Adobe to provide such important new tomcat updates. 

     

    But someone may have a different/more well-informed opinion, of course. 

     

    /Charlie (troubleshooter, carehart. org)
    P
    PatrickHolway
    Participating Frequently
    November 23, 2023

    Hey @Charlie Arehart I was expecting update 12 to also upgrade Tomcat to 9.0.81 but alas no joy. Wonder if 13 will - you have any inside info? 🙂 Happy thankgiving sir.

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    November 23, 2023

    Well, sadly, no. It did not. It's the same situation as above: we simply must wait for Adobe. No news shared on any plans for 13.

    And thanks for the kind regards, but no, I don't get any insider/advanced info about the updates: even when they are released is as much surprise for me as anyone...which is challenging as I like to get news out about them on my blog and/or to my clients. So I am often really scrambling the day they come out, to identify any issues that might occur before the the news may come out in days to follow.

    /Charlie (troubleshooter, carehart. org)
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices