ColdFusion 2018 Tomcat Vulnerability: Recommended Update 9.0.31 or later

New Here ,
Mar 09, 2021 Mar 09, 2021

Copy link to clipboard

Copied

Hi, 

 

Tomcat 9 Vulnerabilites- The version of Tomcat 9.0.21 contains security vulnerabilities that are fixed in Tomcat Version 9.0.40 or greater. The latest ColdFusion Update 10 will only update Tomcat to version 9.0.21. Would you please let us know Adobe plans to address these vulnerabilities and when you would it provide Tomcat update to 9.0.31 or later?

 

Thanks!!

Views

61

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Mar 09, 2021 Mar 09, 2021

Copy link to clipboard

Copied

The key vuln before 9.0.31 was the "ghostcat" vuln. And Adobe addressed that in March of 2020 not with an update to the Tomcat version but instead with a CF update that INCORPORATED the key aspects of the Tomcat fix (for AJP). For more, see the technotes from the updates (update 8 for CF2018, update 14 for CF2016), or see a post I did at the time which focused on how it was CRITICAL for you to update your web sites and the CF wsconfig after that update and those fixes. More here:

 

https://coldfusion.adobe.com/2020/03/three-reasons-sites-may-break-fix-applying-mar-2020-update-cf20...

 

As for if and when Adobe will update Tomcat beyond the reported 9.0.21, they don't announce such things in advance, but we can have every reason to believe that they WILL at some point finally update Tomcat...and of course that would bring still more than just the fixes for ghostcat.

 

I appreciate that this is a frustrating situation for those running security scans, whose tools report CF as "vulnerable" because of this.  To be clear, I'm just a messenger, having no influence on how things go.


/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 09, 2021 Mar 09, 2021

Copy link to clipboard

Copied

Thank you so much for your response, we will go through the link you provided to address the "ghostcat" vuln. But as you mentioned our organization's security scans picked this up and enforcing us to update Tomcat 9.0.31 later, we hope Adobe ColdFusion team to seriously consider to include Tomcat latest update as soon as possible. 


Adobe ColdFusion Support Team- Please help the customers to include Tomcat latest version (9.0.31 or later) with your next CF update, as Tomcat is an internal part of ColdFusion software and customers cannot do anything until unless you release ColdFusion update with Tomcat latest version. 

 

Thank you!! 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Mar 09, 2021 Mar 09, 2021

Copy link to clipboard

Copied

LATEST

Glad to help. BTW, a couple other things I had meant to add (but had a call starting right as I sent that last reply):

  • CF2021 did indeed come out with an updated Tomcat: 9.0.37. We can wish it was still more updated, but CF2021 came out in Nov 2020, and of course they need lead time to test things out. I realize that doesn't help those on CF2018 or 2016.
  • As for CF2016, note that it stopped being updated last month (5 years after its release), so we may not see any update to CF2016 to support a still-later Tomcat
  • As for whether CF2018 will get an updated Tomcat, again we can only hope. And while they have in the past updated Tomcat via only a CF update, I hope they may instead create a new CF2018 installer that would update not only Tomcat but also implement the latest CF update, latest web server connector, and latest JVM--whereas right now, even someone installing CF 2018 today (with its latest installer) would have to do all those things manually
  • Finally, to the original point you were raising, it's worth clarifying also that we cannot update the Tomcat underlying CF ourselves: only Adobe can do that, as it's highly customized for CF. (If someone instead deployed Tomcat and then deployed CF on it via a WAR file, supported in the CF Enterprise, Developer, or Trial editions, they COULD of course update the Tomcat.)

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines