Highlighted

Is CF 10 impacted by Tomcat CVE-2017-12615 or CVE-2017-12617?

New Here ,
Oct 09, 2017

Copy link to clipboard

Copied

Hi :

is Coldfusion 10 by the tomcat CVE-2017-12615 and or CVE-2017-12617 vulnerabilities?

Thank you in advance

ted

Views

672

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Is CF 10 impacted by Tomcat CVE-2017-12615 or CVE-2017-12617?

New Here ,
Oct 09, 2017

Copy link to clipboard

Copied

Hi :

is Coldfusion 10 by the tomcat CVE-2017-12615 and or CVE-2017-12617 vulnerabilities?

Thank you in advance

ted

Views

673

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Oct 09, 2017 0
Advocate ,
Oct 10, 2017

Copy link to clipboard

Copied

It most likely will be as the latest update to CF 10 uses Tomcat 7.0.75.

CF 10 is end of life now so there will be no more updates to it.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 10, 2017 0
Engaged ,
Oct 10, 2017

Copy link to clipboard

Copied

It is affected, in some cases where default settings are not used, however if you disable the HTTP PUT verb and also disable all non-essential file extensions, like .jsp, you could protect yourself.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 10, 2017 1
Participant ,
Oct 11, 2017

Copy link to clipboard

Copied

In a stock ACF install, no, you should not be vulnerable to it. From the CVE(s):

 

>> When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false)

 

The default setting for the default servlet in ACF 11 on the readonly setting is true.  You can verify this by looking at /cfusion/runtime/conf/web.xml and looking for <servlet-name>default</servlet-name>. Unless it explicitly declares <readonly>false</readonly> then you are using the default value of true and not vulnerable to these exploits.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 11, 2017 0