Copy link to clipboard
Copied
I see that patch 4 upgrades tomcat to Tomcat 9.0.60 but i have a current nessus scan in hand of my CF2021patch 6 server and it contains one critical severity and 3 high severity vulnerabilities in Tomcat 9 as follows:
Plugin | Plugin Name | Severity | CVE |
173251 | Apache Tomcat 9.0.0.M1 < 9.0.72 | Critical | CVE-2023-28708 |
166906 | Apache Tomcat 9.0.0-M1 < 9.0.68 Request Smuggling Vulnerability | High | CVE-2022-42252 |
169459 | Apache Tomcat 9.0.40 < 9.0.69 | High | CVE-2022-45143 |
171657 | Apache Tomcat 9.0.0.M1 < 9.0.71 | High | CVE-2023-24998 |
I searched the forum for posts about these, but mostly what i got was 2016 CVEs and Tomcat 9.0.60.
I know that in some cases a CVE might not affect CF because the tomcat functionality isn't being used, so I am wondering if that is true for these in particular or if there is a way to mitigate these while Adobe works on integrating newer tomcats into CF patches.
We are running CF2021 patch 6 on windows 2019 with IIS 10
Thanks
Copy link to clipboard
Copied
Yes, we are vulnerable. No, we cannot update the Tomcat within cf. Not heard any discussion of whether the vulns are something we should NOT be concerned about. Sad that we have to wait so long for Adobe to provide such important new tomcat updates.
But someone may have a different/more well-informed opinion, of course.
Copy link to clipboard
Copied
Hey @Charlie Arehart I was expecting update 12 to also upgrade Tomcat to 9.0.81 but alas no joy. Wonder if 13 will - you have any inside info? 🙂 Happy thankgiving sir.
Copy link to clipboard
Copied
Well, sadly, no. It did not. It's the same situation as above: we simply must wait for Adobe. No news shared on any plans for 13.
And thanks for the kind regards, but no, I don't get any insider/advanced info about the updates: even when they are released is as much surprise for me as anyone...which is challenging as I like to get news out about them on my blog and/or to my clients. So I am often really scrambling the day they come out, to identify any issues that might occur before the the news may come out in days to follow.