Skip to main content
January 13, 2014
Answered

When will Coldfusion 10 be updated with a newer version of Tomcat, to support PCI compliance?

  • January 13, 2014
  • 4 replies
  • 2843 views

Hello,

McAfee Scan Alert is reporting that Tomcat version 7.0.23.0 is not pci compliant.

We're on CF10 and just updated to update 12.

We've read in another thread that Tomcat is specialized for CF and that

CF should be updating Tomcat as needed.

The complete Scan Alert warning is:

Scan indicates that you are using a vulnerable version of apache tomcat web server. The version of tomcat deployed on this web server may be outdated and vulnerable to a host of issues (including but not limited to)

- denial of service attacks

- directory traversal

- default admin passwords

- execution of code by arbitrary file uploads

- bypassing of access restrictions

- cross-site scripting

- session fixation

- bypass of CSRF prevention filter

Thanks in advance,

-Mike

This topic has been closed for replies.
Correct answer CutterBl

Ok. I had the conference call and here is what I found out. To the immediate question, CF10 will have an updated Tomcat mid to late this year. They (Adobe people) had some configuration questions about the environment that was scanned. I could not answer that as I'm going on second hand information. Their question was, what web server is being used: IIS, Apache, or stand-alone CF server. They suspect the stand-alone server because under IIS or Apache, the Tomcat version that CF is using should not be a factor nor even visible to the scanner. We this a stand-alone CF server, meaning was CF acting as the web server? A second guess was that proper lock-downs were not applied to the server as, like previously mentioned, the CF Tomcat should not be visible to the scanner.

These were guesses and I'm working to confirm this theory because like I previously stated, my company is VERY security conscience. Adobe has committed to work with us and our scanning vendor directly if our testing determines it is an issue for us. I feel much better since the conf call. Thanks Adobe.


Yes, Steve, if your site is running on the built-in server (something that Adobe only suggests for development, and never in production), then Tomcat would be directly accessible. If CF is running on Apache or IIS, with the lockdown procedures in place as specified in the lockdown guide, then Tomcat should not be directly accessible.

4 replies

Legend
June 30, 2014

+1

Participant
June 27, 2014

Has there been any update from Adobe on when they're going to update the modified version of Tomcat that's included with CF 10? It's now almost July, and I've been having to tell our client's security officers for months that Adobe hasn't upgraded, and CF 10 is not passing the security scan.

Legend
January 13, 2014

I'm slightly confused. With the old pre-Tomcat version of CF, you could "usually" upgrade to the latest and greatest Java runtime. Is that no longer the case?

January 13, 2014

Hi Steve,

I read that information from:

http://blogs.coldfusion.com/post.cfm/what-s-the-deal-with-tomcat-in-coldfusion-10

>Yes, the in-built server in ColdFusion 10 is a modified version of Tomcat.

...

>That’s all good, but how do I upgrade the in-built Tomcat, in case Tomcat comes out with a critical fix or a security fix?

>Well, ColdFusion 10 now has an amazing delivery mechanism with hotfix notification and installer. We will use the same infrastructure to keep

>the Tomcat engine updated. CF-Tomcat update should be available soon after Tomcat comes out with any critical fix. We will also make the >same available for you to download and use.

Legend
January 14, 2014

That is somewhat alarming to read and puts the breaks on a CF9-->CF10 project we have. Being a payment gateway we are very sensitive to reported vulnerabilities and getting them patched or plugged ASAP -- for both PCI and the fact that we have a lot on the line. If Adobe's JRUN patching timeframes are any indication of Adobe's Tomcat patching timeframes, this will be a non-starter for us with CF10 and above. With CF9 it was (is) easy to upgrade the JAVA runtime to the latest that Oracle has to offer. Ugh!

vishu_13
Inspiring
January 13, 2014

I am sure Mike you/me/ and every CF user   will get a notification (  public blog) once the version of Tomcat will be upgraded