Highlighted

When will Adobe provide a hotfix for TomCat 7.0.54

Explorer ,
Aug 11, 2015

Copy link to clipboard

Copied

I can upgrade Tomcat myself, but that approach isn't documented and isn't likely to be supported by Adobe.


Tomcat is bundled as part of ColdFusion 11, so I would hope Adobe would either provide a hotfix or suggest a supported method to upgrade Tomcat.


Tomcat 7.0.59 fixes the following issues:

  • Security Manager bypass CVE-2014-7810
  • Request Smuggling issue CVE-2014-0227
  • Denial of Service issue CVE-2014-0230

Hi Joe,

Tomcat is now upgraded to 7.0.64. The update is available in pre-release as of now and would be live soon. Please refer to the following blog articles.

http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-7-is-available-for-early-access

ColdFusion 10 Update 18 is available for early access — Adobe ColdFusion Blog

Regards,

Anit Kumar

Views

910

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

When will Adobe provide a hotfix for TomCat 7.0.54

Explorer ,
Aug 11, 2015

Copy link to clipboard

Copied

I can upgrade Tomcat myself, but that approach isn't documented and isn't likely to be supported by Adobe.


Tomcat is bundled as part of ColdFusion 11, so I would hope Adobe would either provide a hotfix or suggest a supported method to upgrade Tomcat.


Tomcat 7.0.59 fixes the following issues:

  • Security Manager bypass CVE-2014-7810
  • Request Smuggling issue CVE-2014-0227
  • Denial of Service issue CVE-2014-0230

Hi Joe,

Tomcat is now upgraded to 7.0.64. The update is available in pre-release as of now and would be live soon. Please refer to the following blog articles.

http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-7-is-available-for-early-access

ColdFusion 10 Update 18 is available for early access — Adobe ColdFusion Blog

Regards,

Anit Kumar

Views

911

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 11, 2015 2
Adobe Employee ,
Aug 11, 2015

Copy link to clipboard

Copied

I am looking into this Joe.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 11, 2015 1
Explorer ,
Aug 17, 2015

Copy link to clipboard

Copied

Hi Anit.  Any updates or thoughts on those security issues?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 17, 2015 0
Adobe Employee ,
Aug 17, 2015

Copy link to clipboard

Copied

Hi Joe,

We are looking into this and evaluating the upgrade options. This will take some time.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 17, 2015 0
Explorer ,
Aug 24, 2015

Copy link to clipboard

Copied

Hi Anit, thanks for the fast replys.  Any idea on how long it will take before the team determines if the issue impacts ColdFusion 11 with hotfix 5?  I presume it will take a while for the correct patch to be built.  If the issues above do impact ColdFusion is this forum an acceptable way to make that request, or should it file the request in Adobe's bug base?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 24, 2015 0
Adobe Employee ,
Aug 24, 2015

Copy link to clipboard

Copied

I have raised it to the respective team. This will take some time, because we are referring to the change in internal architecture (Tomcat, in this case). This has to be tested and verified as well.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 24, 2015 0
Explorer ,
Aug 31, 2015

Copy link to clipboard

Copied

Hi Anit.  I don't want to be a pest, but what is a reasonable expectation for how long it will take to determine if ColdFusion is even impacted by this issue?  If ColdFusion is impacted by that issue, then how does it take for other similarly complex security issues to be tested and verified?  I'm just trying to adjust my expectations for timelines on this issue.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 31, 2015 0
Adobe Employee ,
Aug 31, 2015

Copy link to clipboard

Copied

Hi Joe,

As of now, I can only update you that, we have decided to update Tomcat. The estimated time frame is not yet sure. It will definitely take time.

We appreciate your cooperation.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 31, 2015 0
Explorer ,
Sep 25, 2015

Copy link to clipboard

Copied

Hi Anit!  Hopefully, I'm not bothering you too often on this issue.  Any thoughts on when the community could expect an Adobe approved updated version of Tomcat?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 25, 2015 0
Adobe Employee ,
Sep 25, 2015

Copy link to clipboard

Copied

It will be probably be in the next CF update.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 25, 2015 0
Explorer ,
Sep 25, 2015

Copy link to clipboard

Copied

Next CF update meaning CF12 or CF11 hotfix 7?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 25, 2015 0
Adobe Employee ,
Sep 25, 2015

Copy link to clipboard

Copied

For all supported versions of CF. But, it's still not finalized yet.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 25, 2015 0
Explorer ,
Oct 21, 2015

Copy link to clipboard

Copied

Any progress on this hotfix?  I'm sorry to be such a pest, but our vulnerability scans are still showing this as an issue.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 21, 2015 0
Adobe Employee ,
Oct 21, 2015

Copy link to clipboard

Copied

I understand Joe. But as mentioned earlier, it will be in the next CF update. It's too early, to specify an exact date as of now.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 21, 2015 0
Adobe Employee ,
Oct 24, 2015

Copy link to clipboard

Copied

Hi Joe,

Tomcat is now upgraded to 7.0.64. The update is available in pre-release as of now and would be live soon. Please refer to the following blog articles.

http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-7-is-available-for-early-access

ColdFusion 10 Update 18 is available for early access — Adobe ColdFusion Blog

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Oct 24, 2015 1