• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Is CF 2021 affected by the following Tomcat 9 CVEs?

New Here ,
Mar 31, 2023 Mar 31, 2023

Copy link to clipboard

Copied

I see that patch 4 upgrades tomcat to Tomcat 9.0.60 but i have a current nessus scan in hand of my CF2021patch 6 server and it contains one critical severity and 3 high severity vulnerabilities in Tomcat 9 as follows:

 

Plugin

Plugin Name

Severity

CVE

173251

Apache Tomcat 9.0.0.M1 < 9.0.72

Critical

CVE-2023-28708

166906

Apache Tomcat 9.0.0-M1 < 9.0.68 Request Smuggling Vulnerability

High

CVE-2022-42252

169459

Apache Tomcat 9.0.40 < 9.0.69

High

CVE-2022-45143

171657

Apache Tomcat 9.0.0.M1 < 9.0.71

High

CVE-2023-24998

 

I searched the forum for posts about these, but mostly what i got was 2016 CVEs and Tomcat 9.0.60. 

 

I know that in some cases a CVE might not affect CF because the tomcat functionality isn't being used, so I am wondering if that is true for these in particular or if there is a way to mitigate these while Adobe works on integrating newer tomcats into CF patches.

 

We are running CF2021 patch 6 on windows 2019 with IIS 10

 

Thanks

Views

790

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 31, 2023 Mar 31, 2023

Copy link to clipboard

Copied

Yes, we are vulnerable. No, we cannot update the Tomcat within cf. Not heard any discussion of whether the vulns are something we should NOT be concerned about. Sad that we have to wait so long for Adobe to provide such important new tomcat updates. 

 

But someone may have a different/more well-informed opinion, of course. 

 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Nov 22, 2023 Nov 22, 2023

Copy link to clipboard

Copied

Hey @Charlie Arehart I was expecting update 12 to also upgrade Tomcat to 9.0.81 but alas no joy. Wonder if 13 will - you have any inside info? 🙂 Happy thankgiving sir.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 22, 2023 Nov 22, 2023

Copy link to clipboard

Copied

LATEST

Well, sadly, no. It did not. It's the same situation as above: we simply must wait for Adobe. No news shared on any plans for 13.

And thanks for the kind regards, but no, I don't get any insider/advanced info about the updates: even when they are released is as much surprise for me as anyone...which is challenging as I like to get news out about them on my blog and/or to my clients. So I am often really scrambling the day they come out, to identify any issues that might occur before the the news may come out in days to follow.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation