McAfee Scan Alert is reporting that Tomcat version 126.96.36.199 is not pci compliant.
We're on CF10 and just updated to update 12.
We've read in another thread that Tomcat is specialized for CF and that
CF should be updating Tomcat as needed.
The complete Scan Alert warning is:
Scan indicates that you are using a vulnerable version of apache tomcat web server. The version of tomcat deployed on this web server may be outdated and vulnerable to a host of issues (including but not limited to)
- denial of service attacks
- directory traversal
- default admin passwords
- execution of code by arbitrary file uploads
- bypassing of access restrictions
- cross-site scripting
- session fixation
- bypass of CSRF prevention filter
Thanks in advance,
I read that information from:
>Yes, the in-built server in ColdFusion 10 is a modified version of Tomcat.
>That’s all good, but how do I upgrade the in-built Tomcat, in case Tomcat comes out with a critical fix or a security fix?
>Well, ColdFusion 10 now has an amazing delivery mechanism with hotfix notification and installer. We will use the same infrastructure to keep
>the Tomcat engine updated. CF-Tomcat update should be available soon after Tomcat comes out with any critical fix. We will also make the >same available for you to download and use.
That is somewhat alarming to read and puts the breaks on a CF9-->CF10 project we have. Being a payment gateway we are very sensitive to reported vulnerabilities and getting them patched or plugged ASAP -- for both PCI and the fact that we have a lot on the line. If Adobe's JRUN patching timeframes are any indication of Adobe's Tomcat patching timeframes, this will be a non-starter for us with CF10 and above. With CF9 it was (is) easy to upgrade the JAVA runtime to the latest that Oracle has to offer. Ugh!
I just had a fresh server built with CF10 and all the latest Adobe patches applied:
Not good! Version 188.8.131.52 was released 11/25/2011 -- over 2 years ago!!! No wonder the PCI scan is failing. Adobe, why do you bother with statements like "CF-Tomcat update should be available soon after Tomcat comes out with any critical fix" in your marketing material?
Mike, why did you start this thread? I was perfectly happy in my ignorant bliss.
It's surprising that this hasn't gotten more attention.
I need to take an hour or two in the next couple days and try to call them.
Hard to find a phone number for support these days.
Ok. I had the conference call and here is what I found out. To the immediate question, CF10 will have an updated Tomcat mid to late this year. They (Adobe people) had some configuration questions about the environment that was scanned. I could not answer that as I'm going on second hand information. Their question was, what web server is being used: IIS, Apache, or stand-alone CF server. They suspect the stand-alone server because under IIS or Apache, the Tomcat version that CF is using should not be a factor nor even visible to the scanner. We this a stand-alone CF server, meaning was CF acting as the web server? A second guess was that proper lock-downs were not applied to the server as, like previously mentioned, the CF Tomcat should not be visible to the scanner.
These were guesses and I'm working to confirm this theory because like I previously stated, my company is VERY security conscience. Adobe has committed to work with us and our scanning vendor directly if our testing determines it is an issue for us. I feel much better since the conf call. Thanks Adobe.
Yes, Steve, if your site is running on the built-in server (something that Adobe only suggests for development, and never in production), then Tomcat would be directly accessible. If CF is running on Apache or IIS, with the lockdown procedures in place as specified in the lockdown guide, then Tomcat should not be directly accessible.