ColdFusion CF2023 enterprise Tomcat vulnerability

Report · Dec 18, 2024

Greetings,

I have receiived the following vulnreabilty scan report from our security team for our CF2023 Enterprise on Tomcat.

Installed version : 9.0.93
Fixed version : 9.0.96

Plugin Description:
The version of Tomcat installed on the remote host is prior to 9.0.96.
It is,
therefore, affected by multiple vulnerabilities as referenced in the
fixed_in_apache_tomcat_9.0.96_security-9 advisory.

- Incorrect object re-cycling and re-use vulnerability in Apache
Tomcat.
Incorrect recycling of the request and response used by HTTP/2
requests
could lead to request and/or response mix-up between users. This
issue
affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from
10.1.27 through
10.1.30, from 9.0.92 through 9.0.95. Users are recommended to
upgrade to
version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue. (CVE-
2024-52317)

- Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat
is
configured to use a custom Jakarta Authentication (formerly
JASPIC)
ServerAuthContext component which may throw an exception during the
authentication process without explicitly setting an HTTP status to
indicate
failure, the authentication may not fail, allowing the user to
bypass the
authentication process. There are no known Jakarta Authentication
components
that behave in this way. This issue affects Apache Tomcat: from
11.0.0-M1
through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1
through
9.0.95. Users are recommended to upgrade to version 11.0.0,
10.1.31 or
9.0.96, which fix the issue. (CVE-2024-52316)

Do we have any ETA on upcoming security patch to resolve that issue? I have the latest CF patches installed.

I also have two questions from our security team that I would need help on. Greatly appreciate any input.

1. Can you please confirm whether Tomcat is used as a front end for the user-facing parts of the application, or whether it is part of an administration portal?

2. Can you let us know if the application uses the Tomcat Jakarta Authentication scheme, and in particular, the ServerAuthContext function?

Regards,

Simon Litvak

UC Berkeley

Report · Dec 19, 2024

Hi Simon, thanks for the alert. The current fix for "important" issues is Apache Tomcat 9.0.98

Report · Dec 19, 2024

Thanks BKBK,

Is it accepted practice to update Apache Tomcat directly in CF2023 and not wait for official CF patch release? I can request exception from my securityt team and hopefully get it.

Regards,

Simon

Report · Dec 20, 2024

Hi Simon,

Alas, no. It is not accepted practice to update Apache Tomcat directly in Coldfusion 2023 yourself. The reason is complexity. You don't know - and so cannot take care of - the many dependencies that must be satisfied when Tomcat is integrated in ColdFusion.

The Adobe team knows, of course. Which is why it is their responsibility to update the Apache Tomcat version.

Report · Dec 20, 2024

You are almost certainly not using JASPIC/Jakarta Authentication. As for whether you're using Tomcat as a front end, I would interpret front end as "web server". So, if you're using Apache HTTPD or IIS as your web server, I'd say you're not using Tomcat as a front end.

It might be possible for you to exclude Tomcat from security scans by careful firewall setup, blocking external access to Tomcat entirely.

Dave Watts, Eidolon LLC

Report · Dec 20, 2024

Thanks Dave and BKBK,

Appreciate your helpful input on the issue.

Regards,

Simon .

Report · Dec 24, 2024

Hi Simon,

ColdFusion 2023 is apparently not threatened by this. See the new thread on Apache Tomcat 9.0.98.