CF2018 Tomcat version 9.0.21 vulnerability

New Here ,
Feb 18, 2021 Feb 18, 2021

Copy link to clipboard

Copied

Greetings,

 

We are running CF18 enterprise(latest update 10) on Windows server.  Tomcat version 9.0.21.0. Java version 11.0.3.

Our security team informed us about following vulnerability after Nessus scan on CF server:

 

Plugin ID: 133845 Port: www (8500/tcp)

Plugin Output:

  Installed version : 9.0.21
  Fixed version     : 9.0.31


Plugin Description:
The version of Tomcat installed on the remote host is prior to 7.0.100, 8.x
prior to 8.5.51, or 9.x prior to 9.0.31. It is, therefore, affected by multiple
vulnerabilities.

  - An HTTP request smuggling vulnerability exists in Tomcat due to mishandling
Transfer-Encoding headers     behind a reverse proxy. An unauthenticated, remote
attacker can exploit this, via crafted HTTP requests,     to cause unintended
HTTP requests to reach the back-end. (CVE-2019-17569)

  - An HTTP request smuggling vulnerability exists in Tomcat due to bad
end-of-line (EOL) parsing that allowed     some invalid HTTP headers to be
parsed as valid. An unauthenticated, remote attacker can exploit this, via   
crafted HTTP requests, to cause unintended HTTP requests to reach the back-end.
(CVE-2020-1935)

  - An arbitrary file read vulnerability exists in Tomcat's Apache JServ
Protocol (AJP) due to an     implementation defect. A remote, unauthenticated
attacker could exploit this to access files which, under     normal conditions,
would be restricted. If the Tomcat instance supports file uploads, the
vulnerability     could also be leveraged to achieve remote code execution.
(CVE-2020-1938)

Note that Nessus has not tested for this issue but has instead relied only on
the application's self-reported version number.

 

Any recommendations on resolving this issue. Do we need to contact Adobe CF support on this issue?

 

Regards,

Simon

 

 

Views

77

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Feb 18, 2021 Feb 18, 2021

Copy link to clipboard

Copied

Without knowing the particular status of the Tomcat version on here, I can tell you that you shouldn't allow network traffic to TCP/8500 from external servers if you're also using a web server like IIS or Apache on TCP/80 or TCP/443. So, just block this with your local firewall to only allow traffic from localhost for management purposes and you should be all set!

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 18, 2021 Feb 18, 2021

Copy link to clipboard

Copied

Thanks Dave,

 

Will adding address= "127.0.0.1" attribute to Connector line on CFUSION instance server.xml line with port 8500 do the trick?

 

Regards,

Simon

 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Feb 19, 2021 Feb 19, 2021

Copy link to clipboard

Copied

Additionally,

1) install Java SE 11.0.10 (LTS) and use it for ColdFusion 2018.

2) ensure that the worker.workername.secret value in workers.properties (a UUID) matches the value of the secret attribute of the AJP/1.3 connector in server.xml.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 19, 2021 Feb 19, 2021

Copy link to clipboard

Copied

Thanks BKBK,

 

Appreciate your help.

 

Regards,

Simon

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Feb 19, 2021 Feb 19, 2021

Copy link to clipboard

Copied

LATEST

I honestly don't know. Probably. But I would still create a local firewall record to block traffic there.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines