Received information that a vulnerability (CVE-2018-11776) has been identified for web-based applications with the Tomcat, Apache and Coyote frameworks. We are currently using ColdFusion 10,283111 and I am not sure how to verify if we are at risk or not. Anyone know how I could get that information or find out if that vulnerability is applicable to CF10?
More info on the CVE:
CVE-2018-11776 is a remote code execution flaw that allows an attacker to gain control over Struts-based web applications.
ColdFusion doesn't ship with the Struts framework. It is a popular java framework for building web applications, see: the Apache Struts project -
Do you have any custom java code? you could have potentially added Struts to your CF server with some customization, but that is not very common.
My guess is that whatever scanner was used simply saw that you are running Tomcat and flagged the issue. I'd press back at the scanning vendor to see what their detection method is. If they are simply looking at Tomcat and flagging the issue that would yield tons of false positives.
Thank you for the information, I will pass that along to the scanning vendor! Would it be fair to say that if we are using IIS as a web server that is a safe indication that we are not using Apache Struts, therefore not at risk for this particular issue? Or is there a way on the server I can verify that Apache Struts is not being used?
Wes - you could still be using Struts through IIS, so that does not rule it out. But as I said struts is not something that ships with ColdFusion so it would not be there unless someone wrote an application using struts at your organization.
One way to check would be to search your server for any jar file with "struts" in the name, eg: struts2-core-2.5.17.jar - another thing you can do is compile a list of jar files on your server, and compare that list with the list of jar files that ship with CF, any files not on the list would be ones that you may have added manually.
Hope that helps!