Recently, I have become aware of Ghostcat as a vulnerability in the Tomcat AJP protocol can be exploited to read file contents and access source code and configuration files. If the servers allow file uploads, the flaw can also be exploited to remotely execute code. Dubbed GhostCat because is has existed in Tomcat for more than a decade, the vulnerability affects Tomcat versions 6.x, 7.x, 8.x, and 9.x. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to address the issue.
Since Tomcat is embedded in ColdFusion Server, is there a plan for patching ColdFusion to account for this issue? Is there a way to mitigate the problem until such a patch is implemented? Is there a way to patch the Tomcat on the Server without a ColdFusion patch?
My company is currently running ColdFusion 2016.
Thank you for any suggestions you might have.
I would expect a security patch from Adobe for CF 2016 and CF 2018 soon. I don't think you can patch that yourself, because Adobe customizes the Tomcat connector that uses AJP. On the bright side, my understanding is that this is something you should be able to effectively lock down with other tools, like a host-based firewall. If you limit the AJP port so that it only accepts connections from the machine running CF, you should be safe from remote attacks. I took a look at the server.xml file for CF 2016 to see if this was locked down by default, but didn't find any indication that it was.
Dave Watts, Eidolon LLC
Would using the requiredSecret attribute of the AJP connector help against GhostCat?
Sorry for the slow reply, I kind of respond to these when I have free time and can get to them. I honestly don't know enough about how it works, or what the requiredSecret attribute does, to answer that question. But the article that Wolfshade found indicates that you need to be able to directly connect to Tomcat's open AJP port, which should limit potential attacks to those locations inside your firewall.
Dave Watts, Eidolon LLC
Thanks Dave, appreciate your inputs!
For CF2018 this is now taken care of with Update 8 (which includes 'requiredSecret', now named 'secret'):
For CF11 they recommend edits of the AJP Connector in server.xml:
Cf2016 update 14 also addresses this.
To add to what Dave has stated, I did some Google searching and found an article that states the vulnerability exists _only_ if a site/app allows uploads. So, if you do not allow users to upload files, you should be fine.
Here's the article I found.
^ _ ^