ColdFusion 2018 Tomcat Vulnerability: Recommended Update 9.0.31 or later

Report · Mar 09, 2021

Hi,

Tomcat 9 Vulnerabilites- The version of Tomcat 9.0.21 contains security vulnerabilities that are fixed in Tomcat Version 9.0.40 or greater. The latest ColdFusion Update 10 will only update Tomcat to version 9.0.21. Would you please let us know Adobe plans to address these vulnerabilities and when you would it provide Tomcat update to 9.0.31 or later?

Thanks!!

Report · Mar 09, 2021

The key vuln before 9.0.31 was the "ghostcat" vuln. And Adobe addressed that in March of 2020 not with an update to the Tomcat version but instead with a CF update that INCORPORATED the key aspects of the Tomcat fix (for AJP). For more, see the technotes from the updates (update 8 for CF2018, update 14 for CF2016), or see a post I did at the time which focused on how it was CRITICAL for you to update your web sites and the CF wsconfig after that update and those fixes. More here:

https://coldfusion.adobe.com/2020/03/three-reasons-sites-may-break-fix-applying-mar-2020-update-cf20...

As for if and when Adobe will update Tomcat beyond the reported 9.0.21, they don't announce such things in advance, but we can have every reason to believe that they WILL at some point finally update Tomcat...and of course that would bring still more than just the fixes for ghostcat.

I appreciate that this is a frustrating situation for those running security scans, whose tools report CF as "vulnerable" because of this. To be clear, I'm just a messenger, having no influence on how things go.

/Charlie (troubleshooter, carehart.org)

Report · Mar 09, 2021

Thank you so much for your response, we will go through the link you provided to address the "ghostcat" vuln. But as you mentioned our organization's security scans picked this up and enforcing us to update Tomcat 9.0.31 later, we hope Adobe ColdFusion team to seriously consider to include Tomcat latest update as soon as possible.

Adobe ColdFusion Support Team- Please help the customers to include Tomcat latest version (9.0.31 or later) with your next CF update, as Tomcat is an internal part of ColdFusion software and customers cannot do anything until unless you release ColdFusion update with Tomcat latest version.

Thank you!!

Report · Mar 09, 2021

Glad to help. BTW, a couple other things I had meant to add (but had a call starting right as I sent that last reply):

CF2021 did indeed come out with an updated Tomcat: 9.0.37. We can wish it was still more updated, but CF2021 came out in Nov 2020, and of course they need lead time to test things out. I realize that doesn't help those on CF2018 or 2016.
As for CF2016, note that it stopped being updated last month (5 years after its release), so we may not see any update to CF2016 to support a still-later Tomcat
As for whether CF2018 will get an updated Tomcat, again we can only hope. And while they have in the past updated Tomcat via only a CF update, I hope they may instead create a new CF2018 installer that would update not only Tomcat but also implement the latest CF update, latest web server connector, and latest JVM--whereas right now, even someone installing CF 2018 today (with its latest installer) would have to do all those things manually
Finally, to the original point you were raising, it's worth clarifying also that we cannot update the Tomcat underlying CF ourselves: only Adobe can do that, as it's highly customized for CF. (If someone instead deployed Tomcat and then deployed CF on it via a WAR file, supported in the CF Enterprise, Developer, or Trial editions, they COULD of course update the Tomcat.)

/Charlie (troubleshooter, carehart.org)

Adobe Community

ColdFusion 2018 Tomcat Vulnerability: Recommended Update 9.0.31 or later