cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

ColdFusion and response to Ghostcat vulnerability in Tomcat

nancy.debnam
New Here ,
Mar 06, 2020 Mar 06, 2020

Copy link to clipboard

Copied

Recently, I have become aware of Ghostcat as a vulnerability in the Tomcat AJP protocol can be exploited to read file contents and access source code and configuration files. If the servers allow file uploads, the flaw can also be exploited to remotely execute code. Dubbed GhostCat because is has existed in Tomcat for more than a decade, the vulnerability affects Tomcat versions 6.x, 7.x, 8.x, and 9.x. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to address the issue.

 

Since Tomcat is embedded in ColdFusion Server, is there a plan for patching ColdFusion to account for this issue?  Is there a way to mitigate the problem until such a patch is implemented?  Is there a way to patch the Tomcat on the Server without a ColdFusion patch?  

 

My company is currently running ColdFusion 2016.  

 

Thank you for any suggestions you might have.

Views

942

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 6 Replies 6
latest latest Jump to latest reply
Dave Watts Community Expert
Community Expert ,
Mar 06, 2020 Mar 06, 2020

Copy link to clipboard

Copied

I would expect a security patch from Adobe for CF 2016 and CF 2018 soon. I don't think you can patch that yourself, because Adobe customizes the Tomcat connector that uses AJP. On the bright side, my understanding is that this is something you should be able to effectively lock down with other tools, like a host-based firewall. If you limit the AJP port so that it only accepts connections from the machine running CF, you should be safe from remote attacks. I took a look at the server.xml file for CF 2016 to see if this was locked down by default, but didn't find any indication that it was.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
christophern92966137
Community Beginner ,
Mar 09, 2020 Mar 09, 2020

Copy link to clipboard

Copied

In Response To Dave Watts

Dave,

Would using the requiredSecret attribute of the AJP connector help against GhostCat?

 

thank you,

Chris Norloff

https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerabili...

https://www.avertium.com/cve-2020-1938-ghostcat-vulnerability/

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
Mar 26, 2020 Mar 26, 2020

Copy link to clipboard

Copied

In Response To christophern92966137

Sorry for the slow reply, I kind of respond to these when I have free time and can get to them. I honestly don't know enough about how it works, or what the requiredSecret attribute does, to answer that question. But the article that Wolfshade found indicates that you need to be able to directly connect to Tomcat's open AJP port, which should limit potential attacks to those locations inside your firewall.

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
christophern92966137
Community Beginner ,
Mar 26, 2020 Mar 26, 2020

Copy link to clipboard

Copied

In Response To Dave Watts

Thanks Dave, appreciate your inputs!

 

For CF2018 this is now taken care of with Update 8 (which includes 'requiredSecret', now named 'secret'):

https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-8.html

 

For CF11 they recommend edits of the AJP Connector in server.xml:

https://helpx.adobe.com/coldfusion/kb/coldfusion-11-mitigation-steps.html

 

best,

Chris

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Charlie Arehart Community Expert
Community Expert ,
Mar 26, 2020 Mar 26, 2020

Copy link to clipboard

Copied

LATEST
In Response To christophern92966137

Cf2016 update 14 also addresses this. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
WolfShade
LEGEND ,
Mar 06, 2020 Mar 06, 2020

Copy link to clipboard

Copied

To add to what Dave has stated, I did some Google searching and found an article that states the vulnerability exists _only_ if a site/app allows uploads.  So, if you do not allow users to upload files, you should be fine.

 

Here's the article I found.

 

HTH,

 

^ _ ^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices