Highlighted

CF10 Framework Vulnerability Question

New Here ,
Sep 05, 2018

Copy link to clipboard

Copied

Received information that a vulnerability (CVE-2018-11776) has been identified for web-based applications with the Tomcat, Apache and Coyote frameworks. We are currently using ColdFusion 10,283111 and I am not sure how to verify if we are at risk or not.  Anyone know how I could get that information or find out if that vulnerability is applicable to CF10?

More info on the CVE:

CVE-2018-11776 is a remote code execution flaw that allows an attacker to gain control over Struts-based web applications.

ColdFusion doesn't ship with the Struts framework. It is a popular java framework for building web applications, see: the Apache Struts project  -

Do you have any custom java code? you could have potentially added Struts to your CF server with some customization, but that is not very common.

My guess is that whatever scanner was used simply saw that you are running Tomcat and flagged the issue. I'd press back at the scanning vendor to see what their detection method is. If they are simply looking at Tomcat and flagging the issue that would yield tons of false positives.

--

Pete Freitag

Foundeo Inc.

Views

215

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

CF10 Framework Vulnerability Question

New Here ,
Sep 05, 2018

Copy link to clipboard

Copied

Received information that a vulnerability (CVE-2018-11776) has been identified for web-based applications with the Tomcat, Apache and Coyote frameworks. We are currently using ColdFusion 10,283111 and I am not sure how to verify if we are at risk or not.  Anyone know how I could get that information or find out if that vulnerability is applicable to CF10?

More info on the CVE:

CVE-2018-11776 is a remote code execution flaw that allows an attacker to gain control over Struts-based web applications.

ColdFusion doesn't ship with the Struts framework. It is a popular java framework for building web applications, see: the Apache Struts project  -

Do you have any custom java code? you could have potentially added Struts to your CF server with some customization, but that is not very common.

My guess is that whatever scanner was used simply saw that you are running Tomcat and flagged the issue. I'd press back at the scanning vendor to see what their detection method is. If they are simply looking at Tomcat and flagging the issue that would yield tons of false positives.

--

Pete Freitag

Foundeo Inc.

Views

216

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 05, 2018 0
Enthusiast ,
Sep 05, 2018

Copy link to clipboard

Copied

ColdFusion doesn't ship with the Struts framework. It is a popular java framework for building web applications, see: the Apache Struts project  -

Do you have any custom java code? you could have potentially added Struts to your CF server with some customization, but that is not very common.

My guess is that whatever scanner was used simply saw that you are running Tomcat and flagged the issue. I'd press back at the scanning vendor to see what their detection method is. If they are simply looking at Tomcat and flagging the issue that would yield tons of false positives.

--

Pete Freitag

Foundeo Inc.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 05, 2018 0
New Here ,
Sep 05, 2018

Copy link to clipboard

Copied

Pete,

Thank you for the information, I will pass that along to the scanning vendor!  Would it be fair to say that if we are using IIS as a web server that is a safe indication that we are not using Apache Struts, therefore not at risk for this particular issue?  Or is there a way on the server I can verify that Apache Struts is not being used?

Thanks,

Wes

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 05, 2018 0
Enthusiast ,
Sep 05, 2018

Copy link to clipboard

Copied

Wes - you could still be using Struts through IIS, so that does not rule it out. But as I said struts is not something that ships with ColdFusion so it would not be there unless someone wrote an application using struts at your organization.

One way to check would be to search your server for any jar file with "struts" in the name, eg: struts2-core-2.5.17.jar - another thing you can do is compile a list of jar files on your server, and compare that list with the list of jar files that ship with CF, any files not on the list would be ones that you may have added manually.

Hope that helps!

--

Pete Freitag

Foundeo Inc.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 05, 2018 0