• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Is CF 10 impacted by Tomcat CVE-2017-12615 or CVE-2017-12617?

New Here ,
Oct 09, 2017 Oct 09, 2017

Copy link to clipboard

Copied

Hi :

is Coldfusion 10 by the tomcat CVE-2017-12615 and or CVE-2017-12617 vulnerabilities?

Thank you in advance

ted

Views

781

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Oct 10, 2017 Oct 10, 2017

Copy link to clipboard

Copied

It most likely will be as the latest update to CF 10 uses Tomcat 7.0.75.

CF 10 is end of life now so there will be no more updates to it.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Oct 10, 2017 Oct 10, 2017

Copy link to clipboard

Copied

It is affected, in some cases where default settings are not used, however if you disable the HTTP PUT verb and also disable all non-essential file extensions, like .jsp, you could protect yourself.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Oct 11, 2017 Oct 11, 2017

Copy link to clipboard

Copied

LATEST

In a stock ACF install, no, you should not be vulnerable to it. From the CVE(s):

 

>> When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false)

 

The default setting for the default servlet in ACF 11 on the readonly setting is true.  You can verify this by looking at /cfusion/runtime/conf/web.xml and looking for <servlet-name>default</servlet-name>. Unless it explicitly declares <readonly>false</readonly> then you are using the default value of true and not vulnerable to these exploits.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation