I see that patch 4 upgrades tomcat to Tomcat 9.0.60 but i have a current nessus scan in hand of my CF2021patch 6 server and it contains one critical severity and 3 high severity vulnerabilities in Tomcat 9 as follows:
Plugin | Plugin Name | Severity | CVE |
173251 | Apache Tomcat 9.0.0.M1 < 9.0.72 | Critical | CVE-2023-28708 |
166906 | Apache Tomcat 9.0.0-M1 < 9.0.68 Request Smuggling Vulnerability | High | CVE-2022-42252 |
169459 | Apache Tomcat 9.0.40 < 9.0.69 | High | CVE-2022-45143 |
171657 | Apache Tomcat 9.0.0.M1 < 9.0.71 | High | CVE-2023-24998 |
I searched the forum for posts about these, but mostly what i got was 2016 CVEs and Tomcat 9.0.60.
I know that in some cases a CVE might not affect CF because the tomcat functionality isn't being used, so I am wondering if that is true for these in particular or if there is a way to mitigate these while Adobe works on integrating newer tomcats into CF patches.
We are running CF2021 patch 6 on windows 2019 with IIS 10
Thanks
1
Reply
AdChoices