Copy link to clipboard
Copied
I know I've asked these questions before, but I'm curious if anyone can speak to when Tomcat bundled with ColdFusion 11 will be updated?
Tomcat is bundled as part of ColdFusion 11, previously Adobe has provided a hotfix to upgrade Tomcat. Is this something on the product road map?
Tomcat 7.0.70 fixes the following issue:
Hi Joe,
CF is not impacted with CVE-2016-3092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Regards,
Anit Kumar
Copy link to clipboard
Copied
Hi Joe,
CF is not impacted with CVE-2016-3092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Regards,
Anit Kumar
Copy link to clipboard
Copied
Thanks for the quick response.
Copy link to clipboard
Copied
Thanks for providing that info Anit! I have downgraded this from Important to Warning on the HackMyCF scanner. I still keep it as Warning because I think it is important to know incase your CFML code makes use of the vulnerable classes.
I still hope Adobe plans to upgrade to Tomcat 7.0.70+ in CF10/11, and 8.0.36+ in CF2016 in the next update. It is important for many organizations.
Copy link to clipboard
Copied
That will definitely happen Pete.
Regards,
Anit Kumar
Copy link to clipboard
Copied
Has Adobe upgraded to Tomcat 7.0.70+ for CF11 or 8.0.36+ for CF2016? If not, do we have a timeline when we can expect that?
Copy link to clipboard
Copied
Hi,
We will not be releasing any update for CF11 as it is end of life. But we will release an update for CF2016 and upgrade the Tomcat.
Thanks,
Priyank
Copy link to clipboard
Copied
The original post occurred on August 16th, 2016 when ColdFusion 11 was still under support, but we never received the update to Tomcat.
Now you are telling me that ColdFusion 2016 will receive that update, but its been almost 3 years since this request. Do you have any sort of plan that gives us a more definitive answer on when we can expect this update?
What sprint is it in? How frequently to you put out those type of changes? When will that sprint be headed to beta?
Copy link to clipboard
Copied
Joe, the news is better than what you think--and than Priyank let on.
First, to be clear, it is NOT true that "we never received the update to Tomcat" since "the original post occurred" in 2016. There have indeed been CF11 updates which HAVE updated the Tomcat embedded within CF since then. Multiple times, in fact. The last was update 15, in Sep 2018, whose technote indicates that it updated Tomcat "from version 7.0.85 to 7.0.90". That is beyond the 7.0.70 you are concerned about from 2016. (And update 12 in Apr 2017 had upgraded it to 7.0.75.)
If you still see Tomcat 7.070 reported in your CF admin (settings summary page) or otherwise, then it would seem just that you have not updated your CF11. You might want to check the CF update level (also reported on that CF admin setting summary, at the top of the report).
That said, Priyank's main point was that support for CF11 formally ended in April (there was one "extra" update in June, which was unusual). They have been clear for almost a year in various posts here and in the CF portal (coldfusion.adobe.com) that CF11's end of life was coming.
(And if you may have wondered how you could know if any CF11 update did update Tomcat, each update's technote is linked to here: ColdFusion 11 updates. Note that that page itself doesn't always list if a given update did update Tomcat. Its mention of update 15 does not indicate that, but its technote linked to there does. And to get the answer to your question here, I just looked at each, starting from 19 backward, searching within them for "tomcat".)
Finally, while you don't ask about Tomcat 8 with respect CF11, someone else may wonder: Adobe did not ever update CF11 to embed Tomcat 8. That was done only in CF2016 (and then CF2018 embedded Tomcat 9). And FWIW, the last CF2016 update to mention a Tomcat update was update 7, also in Sep 2018, which upgraded tomcat "from 8.5.28 to 8.5.32", which again is well above the 8.0.36 you were concerned about. So it seems you;d be set for that if you updated your CF2016.
Let us know if this satisfies your concern.
All that said, Adobe is indeed behind a bit again on Tomcat updates. And as Priyank mentioned there is an update for CF2016 (and 2018) due that will address that.
Copy link to clipboard
Copied
Hi Charlie,
Thank you so much for taking the time to reply and point out some details I had missed. I was noticing warnings in my HackMyCF report, but failed to notice that the issue was remediated in ColdFusion 11 updates 12 and 15.
I'm aware of the end of life for the ColdFusion 11, but I had mistakenly thought if the issue was never solved. That drove my concern that our ColdFusion 2016 and 2018 instances would also be a problem.
That satisfies my concerns, thank you very much for taking the time to add all of these details.
Copy link to clipboard
Copied
Glad to have helped.