My answer would be: yes, they always do eventually offer an update which updates the Tomcat. But the problem is we don't know when, and it has sometimes lingered for over a year. Also, sadly, we can't update it ourselves, as it's a custom implementation of tomcat.
What's one to do?
1) Well, as bkbk said you can file a bug report (or add a vote to one already created).
2) Another option is to run cf atop a Tomcat that you implement yourself, deploying cf as a war file. That's an option offered on running the cf installer (to create that war file), or it can be created from within the cf admin, package mgt section. This war file can be deployed in tomcat or any Java app server. (Lucee also offers this deployment option of running it as a war file.)
Unfortunately, running such a CF war in production requires a license--and Adobe currently ptevents running as a war if a CF Standard license key is implemented. This is also why Commandbox cannot run cf with a Standard license. I do really wish Adobe would lift that limitation, for both reasons.
Running cf (or lucee) via a war file does entail learning use of aspects of tomcat that normally hidden from those who run cf the "normal" way. Also, various config folders are in quite different locations, which challenges using traditional help resources (written and human). But desperate times call for desperate measures, and I wanted to clarify this is an option.
3) Finally, some folks simply present the situation to their security folks and seek an exception while awaiting Adobe to finally implement the update.
Hope that's a little more clarifying for you, even if more conciliatory than comforting.
/Charlie (troubleshooter, carehart.org)
6
Replies
AdChoices