Skip navigation
Mike_Downhill
Currently Being Moderated

When will Coldfusion 10 be updated with a newer version of Tomcat, to support PCI compliance?

Jan 13, 2014 1:31 PM

Tags: #tomcat

Hello,

 

McAfee Scan Alert is reporting that Tomcat version 7.0.23.0 is not pci compliant.

We're on CF10 and just updated to update 12.

 

We've read in another thread that Tomcat is specialized for CF and that

CF should be updating Tomcat as needed.

 

The complete Scan Alert warning is:

 

Scan indicates that you are using a vulnerable version of apache tomcat web server. The version of tomcat deployed on this web server may be outdated and vulnerable to a host of issues (including but not limited to)

- denial of service attacks

- directory traversal

- default admin passwords

- execution of code by arbitrary file uploads

- bypassing of access restrictions

- cross-site scripting

- session fixation

- bypass of CSRF prevention filter

 

Thanks in advance,

-Mike

 
Replies
  • Currently Being Moderated
    Jan 13, 2014 1:44 PM   in reply to Mike_Downhill

    I am sure Mike you/me/ and every CF user   will get a notification (  public blog) once the version of Tomcat will be upgraded

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 13, 2014 2:54 PM   in reply to Mike_Downhill

    I'm slightly confused. With the old pre-Tomcat version of CF, you could "usually" upgrade to the latest and greatest Java runtime. Is that no longer the case?

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 13, 2014 4:09 PM   in reply to Mike_Downhill

    That is somewhat alarming to read and puts the breaks on a CF9-->CF10 project we have. Being a payment gateway we are very sensitive to reported vulnerabilities and getting them patched or plugged ASAP -- for both PCI and the fact that we have a lot on the line. If Adobe's JRUN patching timeframes are any indication of Adobe's Tomcat patching timeframes, this will be a non-starter for us with CF10 and above. With CF9 it was (is) easy to upgrade the JAVA runtime to the latest that Oracle has to offer. Ugh!

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 14, 2014 12:45 PM   in reply to Steve Sommers

    I just had a fresh server built with CF10 and all the latest Adobe patches applied:

     

    • Tomcat Version: 7.0.23.0

     

    Not good! Version 7.0.23.0 was released 11/25/2011 -- over 2 years ago!!! No wonder the PCI scan is failing. Adobe, why do you bother with statements like "CF-Tomcat update should be available soon after Tomcat comes out with any critical fix" in your marketing material?

     

    Mike, why did you start this thread? I was perfectly happy in my ignorant bliss.

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 16, 2014 1:13 PM   in reply to Mike_Downhill

    I've been escalating through various channels and I have a conference call setup next week with some people at Adobe. Hopefully that call will reap some good news.

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 27, 2014 8:43 AM   in reply to Steve Sommers

    Ok. I had the conference call and here is what I found out. To the immediate question, CF10 will have an updated Tomcat mid to late this year. They (Adobe people) had some configuration questions about the environment that was scanned. I could not answer that as I'm going on second hand information. Their question was, what web server is being used: IIS, Apache, or stand-alone CF server. They suspect the stand-alone server because under IIS or Apache, the Tomcat version that CF is using should not be a factor nor even visible to the scanner. We this a stand-alone CF server, meaning was CF acting as the web server? A second guess was that proper lock-downs were not applied to the server as, like previously mentioned, the CF Tomcat should not be visible to the scanner.

     

    These were guesses and I'm working to confirm this theory because like I previously stated, my company is VERY security conscience. Adobe has committed to work with us and our scanning vendor directly if our testing determines it is an issue for us. I feel much better since the conf call. Thanks Adobe.

     
    |
    Mark as:
  • Currently Being Moderated
    Jan 27, 2014 11:56 AM   in reply to Steve Sommers

    Yes, Steve, if your site is running on the built-in server (something that Adobe only suggests for development, and never in production), then Tomcat would be directly accessible. If CF is running on Apache or IIS, with the lockdown procedures in place as specified in the lockdown guide, then Tomcat should not be directly accessible.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points