is Coldfusion 10 by the tomcat CVE-2017-12615 and or CVE-2017-12617 vulnerabilities?
Thank you in advance
It most likely will be as the latest update to CF 10 uses Tomcat 7.0.75.
CF 10 is end of life now so there will be no more updates to it.
It is affected, in some cases where default settings are not used, however if you disable the HTTP PUT verb and also disable all non-essential file extensions, like .jsp, you could protect yourself.
In a stock ACF install, no, you should not be vulnerable to it. From the CVE(s):
>> When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false)
The default setting for the default servlet in ACF 11 on the readonly setting is true. You can verify this by looking at /cfusion/runtime/conf/web.xml and looking for <servlet-name>default</servlet-name>. Unless it explicitly declares <readonly>false</readonly> then you are using the default value of true and not vulnerable to these exploits.