The version of Tomcat installed on the remote host is prior to 9.0.71.

Report · May 18, 2023

The version of Tomcat installed on the remote host is prior to 9.0.71. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.71_security-9 advisory.

- Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
(CVE-2023-24998)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

How does one remediate the above?

Report · May 19, 2023

One must wait for Adobe to release an update to cf that embeds the updated tomcat.

You don't say what cf version you're on. If cf2021 we can expect such an update--but no telling when. They've gone over a year between applying needed tomcat updates. If you're on cf2018, such an update would need to come out before July, when its support/updates end.

/Charlie (troubleshooter, carehart. org)

Report · May 19, 2023

So I went ahead and blocked port 8500 on the local firewall of the device both inbound and outbound. This remediated the issue. I told the users to use server to access the CF admin page.

Report · May 19, 2023

Use the server? You mean access that 8500 port only from the server itself? Well, sure. Locking that down to be accessed only from the server itself is an option. But the port would have been blocked by most any firewall by default, since it's a non-standard port, at least from outside the network.

If you're saying the security scan doesn't run from the server but is within the network, that will stop it detecting the vulnerability. It's still there, but "less" exposed. By the same token, it was almost certainly not exposed outside the network.

/Charlie (troubleshooter, carehart. org)