I don't remember installing Apache Tomcat for coldFusion. Is Apache Tomcat service require for ColdFusion to function? We are currently running IIS as our web server.
You don't need Apache Tomcat installed on your machine to run ColdFusion. ColdFusion is using Tomcat as an underlying architecture. If you are using IIS, just install ColdFusion and create a connector.
ColdFusion is using Tomcat as an underlying architecture but it's not using Apache Tomcat? What I'm trying to get here is that if it's ColdFusion that's requiring apache tomcat, then we need to upgrade/patch tomcact since we've found a vulnerability when we scaned the machine; however, I couldn't verify that we are actually running apache tomcat on our server.
Please tell us the ColdFusion version which you are running and also tell us the vulnerability. You cannot upgrade the internal Tomcat by your own.
In case, you have a J2EE deployment over Tomcat, then you can certainly upgrade the Tomcat version.
The scanned show: Apache Tomcat 7.0.x < 7.0.57 Multiple Vulnerabilities (POODLE)
No details on the vulnerabilities.
Running ColdFusion version: 10,292620
You can update ColdFusion to the latest update. Make sure, you are not using JDK1.6 and most important, you have to disable the SSLv3. You can find an article which will tell you how to disable it.