Will Adobe provide a Coldfusion 2018 hotfix to address vulnerability in Tomcat 9? We currently have version 9.0.50. See CVE-2021-42340.
Copy link to clipboard
Yes, they will. They always do. What we do NOT know (nor will they tell us) is WHEN they will do it.
We can reasonably expect it will be in the next CF update, update 14 for CF2018 and update 4 for CF2021, which should include as well lots of CF bug fixes (that have remained even through the last update, which addressed only log4j vulns), and perhaps they will also remove any remaining reliance on log4j1.
But they don't announce in advance when those come out. It could be Friday, it could be next month. It is indeed lamentable, as there have been some known Tomcat issues for many months. (And inevitably, there will be new ones, and we will again be stuck awaiting their update to CF, as WE cannot update the Tomcat that underlies CF. Only they can, at least reliably.)
Oh, you should add your vote to the bug ticket. It might help expedite matters.