Skip to main content
Joe Rybacek
Joe Rybacek
Inspiring
August 10, 2016
Answered

Does Adobe have a timeline for providing a hotfix for TomCat 7.0.70

  • August 10, 2016
  • 1 reply
  • 1989 views

I know I've asked these questions before, but I'm curious if anyone can speak to when Tomcat bundled with ColdFusion 11 will be updated?

Tomcat is bundled as part of ColdFusion 11, previously Adobe has provided a hotfix to upgrade Tomcat.  Is this something on the product road map?

Tomcat 7.0.70 fixes the following issue:

    This topic has been closed for replies.
    Correct answer Anit_Kumar

    Hi Joe,

    CF is not impacted with CVE-2016-3092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092

    Regards,

    Anit Kumar

    1 reply

    Anit_Kumar
    Community Manager
    Anit_KumarCommunity ManagerCorrect answer
    Community Manager
    August 12, 2016

    Hi Joe,

    CF is not impacted with CVE-2016-3092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092

    Regards,

    Anit Kumar

    pete_freitag
    pete_freitag
    Participating Frequently
    August 12, 2016

    Thanks for providing that info Anit! I have downgraded this from Important to Warning on the HackMyCF scanner. I still keep it as Warning because I think it is important to know incase your CFML code makes use of the vulnerable classes.

    I still hope Adobe plans to upgrade to Tomcat 7.0.70+ in CF10/11, and 8.0.36+ in CF2016 in the next update. It is important for many organizations.

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    August 7, 2019

    The original post occurred on August 16th, 2016 when ColdFusion 11 was still under support, but we never received the update to Tomcat.

    Now you are telling me that ColdFusion 2016 will receive that update, but its been almost 3 years since this request.  Do you have any sort of plan that gives us a more definitive answer on when we can expect this update?

    What sprint is it in?  How frequently to you put out those type of changes?  When will that sprint be headed to beta?


    Joe, the news is better than what you think--and than Priyank let on.

    First, to be clear, it is NOT true that "we never received the update to Tomcat" since "the original post occurred" in 2016. There have indeed been CF11 updates which HAVE updated the Tomcat embedded within CF since then. Multiple times, in fact. The last was update 15, in Sep 2018, whose technote​​​ indicates that it updated Tomcat "from version 7.0.85 to 7.0.90". That is beyond the 7.0.70 you are concerned about from 2016. (And update 12 in Apr 2017 had upgraded it to 7.0.75.)

    If you still see Tomcat 7.070 reported in your CF admin (settings summary page) or otherwise, then it would seem just that you have not updated your CF11. You might want to check the CF update level (also reported on that CF admin setting summary, at the top of the report).

    That said, Priyank's main point was that support for CF11 formally ended in April (there was one "extra" update in June, which was unusual). They have been clear for almost a year in various posts here and in the CF portal (coldfusion.adobe.com) that CF11's end of life was coming.

    (And if you may have wondered how you could know if any CF11 update did update Tomcat, each update's technote is linked to here: ColdFusion 11 updates​. Note that that page itself doesn't always list if a given update did update Tomcat. Its mention of update 15 does not indicate that, but its technote linked to there does. And to get the answer to your question here, I just looked at each, starting from 19 backward, searching within them for "tomcat".)

    Finally, while you don't ask about Tomcat 8 with respect CF11, someone else may wonder: Adobe did not ever update CF11 to embed Tomcat 8. That was done only in CF2016 (and then CF2018 embedded Tomcat 9). And FWIW, the last CF2016 update to mention a Tomcat update was update 7, also in Sep 2018, which upgraded tomcat "from 8.5.28 to 8.5.32", which again is well above the 8.0.36 you were concerned about. So it seems you;d be set for that if you updated your CF2016.

    Let us know if this satisfies your concern.

    All that said, Adobe is indeed behind a bit again on Tomcat updates. And as Priyank mentioned there is an update for CF2016 (and 2018) due that will address that.

    /Charlie (troubleshooter, carehart. org)
      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices