We are running CF18 enterprise(latest update 10) on Windows server. Tomcat version 22.214.171.124. Java version 11.0.3.
Our security team informed us about following vulnerability after Nessus scan on CF server:
Plugin ID: 133845 Port: www (8500/tcp)
Installed version : 9.0.21
Fixed version : 9.0.31
The version of Tomcat installed on the remote host is prior to 7.0.100, 8.x
prior to 8.5.51, or 9.x prior to 9.0.31. It is, therefore, affected by multiple
- An HTTP request smuggling vulnerability exists in Tomcat due to mishandling
Transfer-Encoding headers behind a reverse proxy. An unauthenticated, remote
attacker can exploit this, via crafted HTTP requests, to cause unintended
HTTP requests to reach the back-end. (CVE-2019-17569)
- An HTTP request smuggling vulnerability exists in Tomcat due to bad
end-of-line (EOL) parsing that allowed some invalid HTTP headers to be
parsed as valid. An unauthenticated, remote attacker can exploit this, via
crafted HTTP requests, to cause unintended HTTP requests to reach the back-end.
- An arbitrary file read vulnerability exists in Tomcat's Apache JServ
Protocol (AJP) due to an implementation defect. A remote, unauthenticated
attacker could exploit this to access files which, under normal conditions,
would be restricted. If the Tomcat instance supports file uploads, the
vulnerability could also be leveraged to achieve remote code execution.
Note that Nessus has not tested for this issue but has instead relied only on
the application's self-reported version number.
Any recommendations on resolving this issue. Do we need to contact Adobe CF support on this issue?
Without knowing the particular status of the Tomcat version on here, I can tell you that you shouldn't allow network traffic to TCP/8500 from external servers if you're also using a web server like IIS or Apache on TCP/80 or TCP/443. So, just block this with your local firewall to only allow traffic from localhost for management purposes and you should be all set!
Dave Watts, Eidolon LLC
Will adding address= "127.0.0.1" attribute to Connector line on CFUSION instance server.xml line with port 8500 do the trick?
1) install Java SE 11.0.10 (LTS) and use it for ColdFusion 2018.
2) ensure that the worker.workername.secret value in workers.properties (a UUID) matches the value of the secret attribute of the AJP/1.3 connector in server.xml.
Appreciate your help.
I honestly don't know. Probably. But I would still create a local firewall record to block traffic there.
Dave Watts, Eidolon LLC