Highlighted

ColdFusion and response to Ghostcat vulnerability in Tomcat

New Here ,
Mar 06, 2020

Copy link to clipboard

Copied

Recently, I have become aware of Ghostcat as a vulnerability in the Tomcat AJP protocol can be exploited to read file contents and access source code and configuration files. If the servers allow file uploads, the flaw can also be exploited to remotely execute code. Dubbed GhostCat because is has existed in Tomcat for more than a decade, the vulnerability affects Tomcat versions 6.x, 7.x, 8.x, and 9.x. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to address the issue.

 

Since Tomcat is embedded in ColdFusion Server, is there a plan for patching ColdFusion to account for this issue?  Is there a way to mitigate the problem until such a patch is implemented?  Is there a way to patch the Tomcat on the Server without a ColdFusion patch?  

 

My company is currently running ColdFusion 2016.  

 

Thank you for any suggestions you might have.

Views

506

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

ColdFusion and response to Ghostcat vulnerability in Tomcat

New Here ,
Mar 06, 2020

Copy link to clipboard

Copied

Recently, I have become aware of Ghostcat as a vulnerability in the Tomcat AJP protocol can be exploited to read file contents and access source code and configuration files. If the servers allow file uploads, the flaw can also be exploited to remotely execute code. Dubbed GhostCat because is has existed in Tomcat for more than a decade, the vulnerability affects Tomcat versions 6.x, 7.x, 8.x, and 9.x. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to address the issue.

 

Since Tomcat is embedded in ColdFusion Server, is there a plan for patching ColdFusion to account for this issue?  Is there a way to mitigate the problem until such a patch is implemented?  Is there a way to patch the Tomcat on the Server without a ColdFusion patch?  

 

My company is currently running ColdFusion 2016.  

 

Thank you for any suggestions you might have.

Views

507

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Mar 06, 2020 0
Adobe Community Professional ,
Mar 06, 2020

Copy link to clipboard

Copied

I would expect a security patch from Adobe for CF 2016 and CF 2018 soon. I don't think you can patch that yourself, because Adobe customizes the Tomcat connector that uses AJP. On the bright side, my understanding is that this is something you should be able to effectively lock down with other tools, like a host-based firewall. If you limit the AJP port so that it only accepts connections from the machine running CF, you should be safe from remote attacks. I took a look at the server.xml file for CF 2016 to see if this was locked down by default, but didn't find any indication that it was.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 06, 2020 0
Community Beginner ,
Mar 09, 2020

Copy link to clipboard

Copied

Dave,

Would using the requiredSecret attribute of the AJP connector help against GhostCat?

 

thank you,

Chris Norloff

https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerabili...

https://www.avertium.com/cve-2020-1938-ghostcat-vulnerability/

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 09, 2020 0
Adobe Community Professional ,
Mar 26, 2020

Copy link to clipboard

Copied

Sorry for the slow reply, I kind of respond to these when I have free time and can get to them. I honestly don't know enough about how it works, or what the requiredSecret attribute does, to answer that question. But the article that Wolfshade found indicates that you need to be able to directly connect to Tomcat's open AJP port, which should limit potential attacks to those locations inside your firewall.

 

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 26, 2020 0
Community Beginner ,
Mar 26, 2020

Copy link to clipboard

Copied

Thanks Dave, appreciate your inputs!

 

For CF2018 this is now taken care of with Update 8 (which includes 'requiredSecret', now named 'secret'):

https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-8.html

 

For CF11 they recommend edits of the AJP Connector in server.xml:

https://helpx.adobe.com/coldfusion/kb/coldfusion-11-mitigation-steps.html

 

best,

Chris

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 26, 2020 0
Adobe Community Professional ,
Mar 26, 2020

Copy link to clipboard

Copied

Cf2016 update 14 also addresses this. 

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 26, 2020 0
LEGEND ,
Mar 06, 2020

Copy link to clipboard

Copied

To add to what Dave has stated, I did some Google searching and found an article that states the vulnerability exists _only_ if a site/app allows uploads.  So, if you do not allow users to upload files, you should be fine.

 

Here's the article I found.

 

HTH,

 

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 06, 2020 0