When will Adobe provide a hotfix for TomCat 7.0.54

Explorer ,
Aug 11, 2015 Aug 11, 2015

Copy link to clipboard

Copied

I can upgrade Tomcat myself, but that approach isn't documented and isn't likely to be supported by Adobe.


Tomcat is bundled as part of ColdFusion 11, so I would hope Adobe would either provide a hotfix or suggest a supported method to upgrade Tomcat.


Tomcat 7.0.59 fixes the following issues:

  • Security Manager bypass CVE-2014-7810
  • Request Smuggling issue CVE-2014-0227
  • Denial of Service issue CVE-2014-0230

Views

977

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct Answer

Adobe Employee , Oct 24, 2015 Oct 24, 2015
Hi Joe,Tomcat is now upgraded to 7.0.64. The update is available in pre-release as of now and would be live soon. Please refer to the following blog articles.http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-7-is-available-for-early-accessColdFusion 10 Update 18 is available for early access — Adobe ColdFusion Blog‌Regards,Anit Kumar

Likes

Translate

Translate
Adobe Employee ,
Aug 11, 2015 Aug 11, 2015

Copy link to clipboard

Copied

I am looking into this Joe.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 17, 2015 Aug 17, 2015

Copy link to clipboard

Copied

Hi Anit.  Any updates or thoughts on those security issues?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 17, 2015 Aug 17, 2015

Copy link to clipboard

Copied

Hi Joe,

We are looking into this and evaluating the upgrade options. This will take some time.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 24, 2015 Aug 24, 2015

Copy link to clipboard

Copied

Hi Anit, thanks for the fast replys.  Any idea on how long it will take before the team determines if the issue impacts ColdFusion 11 with hotfix 5?  I presume it will take a while for the correct patch to be built.  If the issues above do impact ColdFusion is this forum an acceptable way to make that request, or should it file the request in Adobe's bug base?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 24, 2015 Aug 24, 2015

Copy link to clipboard

Copied

I have raised it to the respective team. This will take some time, because we are referring to the change in internal architecture (Tomcat, in this case). This has to be tested and verified as well.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 31, 2015 Aug 31, 2015

Copy link to clipboard

Copied

Hi Anit.  I don't want to be a pest, but what is a reasonable expectation for how long it will take to determine if ColdFusion is even impacted by this issue?  If ColdFusion is impacted by that issue, then how does it take for other similarly complex security issues to be tested and verified?  I'm just trying to adjust my expectations for timelines on this issue.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 31, 2015 Aug 31, 2015

Copy link to clipboard

Copied

Hi Joe,

As of now, I can only update you that, we have decided to update Tomcat. The estimated time frame is not yet sure. It will definitely take time.

We appreciate your cooperation.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 25, 2015 Sep 25, 2015

Copy link to clipboard

Copied

Hi Anit!  Hopefully, I'm not bothering you too often on this issue.  Any thoughts on when the community could expect an Adobe approved updated version of Tomcat?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Sep 25, 2015 Sep 25, 2015

Copy link to clipboard

Copied

It will be probably be in the next CF update.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 25, 2015 Sep 25, 2015

Copy link to clipboard

Copied

Next CF update meaning CF12 or CF11 hotfix 7?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Sep 25, 2015 Sep 25, 2015

Copy link to clipboard

Copied

For all supported versions of CF. But, it's still not finalized yet.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 21, 2015 Oct 21, 2015

Copy link to clipboard

Copied

Any progress on this hotfix?  I'm sorry to be such a pest, but our vulnerability scans are still showing this as an issue.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 21, 2015 Oct 21, 2015

Copy link to clipboard

Copied

I understand Joe. But as mentioned earlier, it will be in the next CF update. It's too early, to specify an exact date as of now.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 24, 2015 Oct 24, 2015

Copy link to clipboard

Copied

LATEST

Hi Joe,

Tomcat is now upgraded to 7.0.64. The update is available in pre-release as of now and would be live soon. Please refer to the following blog articles.

http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-7-is-available-for-early-access

ColdFusion 10 Update 18 is available for early access — Adobe ColdFusion Blog

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines