Skip to main content
C
curious_work15D5
New Participant
March 6, 2020
Question

ColdFusion and response to Ghostcat vulnerability in Tomcat

  • March 6, 2020
  • 2 replies
  • 1382 views

Recently, I have become aware of Ghostcat as a vulnerability in the Tomcat AJP protocol can be exploited to read file contents and access source code and configuration files. If the servers allow file uploads, the flaw can also be exploited to remotely execute code. Dubbed GhostCat because is has existed in Tomcat for more than a decade, the vulnerability affects Tomcat versions 6.x, 7.x, 8.x, and 9.x. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to address the issue.

 

Since Tomcat is embedded in ColdFusion Server, is there a plan for patching ColdFusion to account for this issue?  Is there a way to mitigate the problem until such a patch is implemented?  Is there a way to patch the Tomcat on the Server without a ColdFusion patch?  

 

My company is currently running ColdFusion 2016.  

 

Thank you for any suggestions you might have.

    This topic has been closed for replies.

    2 replies

    WolfShade
    WolfShade
    Brainiac
    March 6, 2020

    To add to what Dave has stated, I did some Google searching and found an article that states the vulnerability exists _only_ if a site/app allows uploads.  So, if you do not allow users to upload files, you should be fine.

     

    Here's the article I found.

     

    HTH,

     

    ^ _ ^

    D
    Dave Watts
    Community Expert
    March 6, 2020

    I would expect a security patch from Adobe for CF 2016 and CF 2018 soon. I don't think you can patch that yourself, because Adobe customizes the Tomcat connector that uses AJP. On the bright side, my understanding is that this is something you should be able to effectively lock down with other tools, like a host-based firewall. If you limit the AJP port so that it only accepts connections from the machine running CF, you should be safe from remote attacks. I took a look at the server.xml file for CF 2016 to see if this was locked down by default, but didn't find any indication that it was.

     

    Dave Watts, Eidolon LLC

    Dave Watts, Eidolon LLC
    christophern92966137
    christophern92966137
    Inspiring
    March 9, 2020

    Dave,

    Would using the requiredSecret attribute of the AJP connector help against GhostCat?

     

    thank you,

    Chris Norloff

    https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487

    https://www.avertium.com/cve-2020-1938-ghostcat-vulnerability/

    D
    Dave Watts
    Community Expert
    March 26, 2020

    Sorry for the slow reply, I kind of respond to these when I have free time and can get to them. I honestly don't know enough about how it works, or what the requiredSecret attribute does, to answer that question. But the article that Wolfshade found indicates that you need to be able to directly connect to Tomcat's open AJP port, which should limit potential attacks to those locations inside your firewall.

     

    Dave Watts, Eidolon LLC

    Dave Watts, Eidolon LLC
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices