When will Adobe provide a hotfix for Tomcat 9

Report · Feb 16, 2022

Will Adobe provide a Coldfusion 2018 hotfix to address vulnerability in Tomcat 9? We currently have version 9.0.50. See CVE-2021-42340.

Thank you.

Report · Feb 16, 2022

Yes, they will. They always do. What we do NOT know (nor will they tell us) is WHEN they will do it.

We can reasonably expect it will be in the next CF update, update 14 for CF2018 and update 4 for CF2021, which should include as well lots of CF bug fixes (that have remained even through the last update, which addressed only log4j vulns), and perhaps they will also remove any remaining reliance on log4j1.

But they don't announce in advance when those come out. It could be Friday, it could be next month. It is indeed lamentable, as there have been some known Tomcat issues for many months. (And inevitably, there will be new ones, and we will again be stuck awaiting their update to CF, as WE cannot update the Tomcat that underlies CF. Only they can, at least reliably.)

/Charlie (troubleshooter, carehart.org)

Report · Feb 17, 2022

Thank you.

Report · Feb 18, 2022

Adobe has confirmed that this is a bug. So it is on the conveyor-belt. See https://tracker.adobe.com/#/view/CF-4212653

Report · Feb 19, 2022

Oh, you should add your vote to the bug ticket. It might help expedite matters.

Adobe Community

When will Adobe provide a hotfix for Tomcat 9

1 Correct answer