Is CF 10 impacted by Tomcat CVE-2017-12615 or CVE-2017-12617?

Report · Oct 09, 2017

Hi :

is Coldfusion 10 by the tomcat CVE-2017-12615 and or CVE-2017-12617 vulnerabilities?

Thank you in advance

ted

Report · Oct 10, 2017

It most likely will be as the latest update to CF 10 uses Tomcat 7.0.75.

CF 10 is end of life now so there will be no more updates to it.

Report · Oct 10, 2017

It is affected, in some cases where default settings are not used, however if you disable the HTTP PUT verb and also disable all non-essential file extensions, like .jsp, you could protect yourself.

Report · Oct 11, 2017

In a stock ACF install, no, you should not be vulnerable to it. From the CVE(s):

>> When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false)

The default setting for the default servlet in ACF 11 on the readonly setting is true. You can verify this by looking at /cfusion/runtime/conf/web.xml and looking for <servlet-name>default</servlet-name>. Unless it explicitly declares <readonly>false</readonly> then you are using the default value of true and not vulnerable to these exploits.