Tomcat 9 Vulnerabilites- The version of Tomcat 9.0.21 contains security vulnerabilities that are fixed in Tomcat Version 9.0.40 or greater. The latest ColdFusion Update 10 will only update Tomcat to version 9.0.21. Would you please let us know Adobe plans to address these vulnerabilities and when you would it provide Tomcat update to 9.0.31 or later?
Copy link to clipboard
The key vuln before 9.0.31 was the "ghostcat" vuln. And Adobe addressed that in March of 2020 not with an update to the Tomcat version but instead with a CF update that INCORPORATED the key aspects of the Tomcat fix (for AJP). For more, see the technotes from the updates (update 8 for CF2018, update 14 for CF2016), or see a post I did at the time which focused on how it was CRITICAL for you to update your web sites and the CF wsconfig after that update and those fixes. More here:
As for if and when Adobe will update Tomcat beyond the reported 9.0.21, they don't announce such things in advance, but we can have every reason to believe that they WILL at some point finally update Tomcat...and of course that would bring still more than just the fixes for ghostcat.
I appreciate that this is a frustrating situation for those running security scans, whose tools report CF as "vulnerable" because of this. To be clear, I'm just a messenger, having no influence on how things go.
Thank you so much for your response, we will go through the link you provided to address the "ghostcat" vuln. But as you mentioned our organization's security scans picked this up and enforcing us to update Tomcat 9.0.31 later, we hope Adobe ColdFusion team to seriously consider to include Tomcat latest update as soon as possible.
Adobe ColdFusion Support Team- Please help the customers to include Tomcat latest version (9.0.31 or later) with your next CF update, as Tomcat is an internal part of ColdFusion software and customers cannot do anything until unless you release ColdFusion update with Tomcat latest version.
Glad to help. BTW, a couple other things I had meant to add (but had a call starting right as I sent that last reply):