• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

When will Coldfusion 10 be updated with a newer version of Tomcat, to support PCI compliance?

Guest
Jan 13, 2014 Jan 13, 2014

Copy link to clipboard

Copied

Hello,

McAfee Scan Alert is reporting that Tomcat version 7.0.23.0 is not pci compliant.

We're on CF10 and just updated to update 12.

We've read in another thread that Tomcat is specialized for CF and that

CF should be updating Tomcat as needed.

The complete Scan Alert warning is:

Scan indicates that you are using a vulnerable version of apache tomcat web server. The version of tomcat deployed on this web server may be outdated and vulnerable to a host of issues (including but not limited to)

- denial of service attacks

- directory traversal

- default admin passwords

- execution of code by arbitrary file uploads

- bypassing of access restrictions

- cross-site scripting

- session fixation

- bypass of CSRF prevention filter

Thanks in advance,

-Mike

Views

2.4K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Participant , Jan 27, 2014 Jan 27, 2014

Yes, Steve, if your site is running on the built-in server (something that Adobe only suggests for development, and never in production), then Tomcat would be directly accessible. If CF is running on Apache or IIS, with the lockdown procedures in place as specified in the lockdown guide, then Tomcat should not be directly accessible.

Votes

Translate

Translate
Enthusiast ,
Jan 13, 2014 Jan 13, 2014

Copy link to clipboard

Copied

I am sure Mike you/me/ and every CF user   will get a notification (  public blog) once the version of Tomcat will be upgraded

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jan 13, 2014 Jan 13, 2014

Copy link to clipboard

Copied

I'm slightly confused. With the old pre-Tomcat version of CF, you could "usually" upgrade to the latest and greatest Java runtime. Is that no longer the case?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jan 13, 2014 Jan 13, 2014

Copy link to clipboard

Copied

Hi Steve,

I read that information from:

http://blogs.coldfusion.com/post.cfm/what-s-the-deal-with-tomcat-in-coldfusion-10

>Yes, the in-built server in ColdFusion 10 is a modified version of Tomcat.

...

>That’s all good, but how do I upgrade the in-built Tomcat, in case Tomcat comes out with a critical fix or a security fix?

>Well, ColdFusion 10 now has an amazing delivery mechanism with hotfix notification and installer. We will use the same infrastructure to keep

>the Tomcat engine updated. CF-Tomcat update should be available soon after Tomcat comes out with any critical fix. We will also make the >same available for you to download and use.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jan 13, 2014 Jan 13, 2014

Copy link to clipboard

Copied

That is somewhat alarming to read and puts the breaks on a CF9-->CF10 project we have. Being a payment gateway we are very sensitive to reported vulnerabilities and getting them patched or plugged ASAP -- for both PCI and the fact that we have a lot on the line. If Adobe's JRUN patching timeframes are any indication of Adobe's Tomcat patching timeframes, this will be a non-starter for us with CF10 and above. With CF9 it was (is) easy to upgrade the JAVA runtime to the latest that Oracle has to offer. Ugh!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jan 14, 2014 Jan 14, 2014

Copy link to clipboard

Copied

I just had a fresh server built with CF10 and all the latest Adobe patches applied:

  • Tomcat Version: 7.0.23.0

Not good! Version 7.0.23.0 was released 11/25/2011 -- over 2 years ago!!! No wonder the PCI scan is failing. Adobe, why do you bother with statements like "CF-Tomcat update should be available soon after Tomcat comes out with any critical fix" in your marketing material?

Mike, why did you start this thread? I was perfectly happy in my ignorant bliss.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jan 15, 2014 Jan 15, 2014

Copy link to clipboard

Copied

Sorry Steve

It's surprising that this hasn't gotten more attention.

I need to take an hour or two in the next couple days and try to call them.

Hard to find a phone number for support these days.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jan 16, 2014 Jan 16, 2014

Copy link to clipboard

Copied

I've been escalating through various channels and I have a conference call setup next week with some people at Adobe. Hopefully that call will reap some good news.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jan 27, 2014 Jan 27, 2014

Copy link to clipboard

Copied

Ok. I had the conference call and here is what I found out. To the immediate question, CF10 will have an updated Tomcat mid to late this year. They (Adobe people) had some configuration questions about the environment that was scanned. I could not answer that as I'm going on second hand information. Their question was, what web server is being used: IIS, Apache, or stand-alone CF server. They suspect the stand-alone server because under IIS or Apache, the Tomcat version that CF is using should not be a factor nor even visible to the scanner. We this a stand-alone CF server, meaning was CF acting as the web server? A second guess was that proper lock-downs were not applied to the server as, like previously mentioned, the CF Tomcat should not be visible to the scanner.

These were guesses and I'm working to confirm this theory because like I previously stated, my company is VERY security conscience. Adobe has committed to work with us and our scanning vendor directly if our testing determines it is an issue for us. I feel much better since the conf call. Thanks Adobe.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jan 27, 2014 Jan 27, 2014

Copy link to clipboard

Copied

Yes, Steve, if your site is running on the built-in server (something that Adobe only suggests for development, and never in production), then Tomcat would be directly accessible. If CF is running on Apache or IIS, with the lockdown procedures in place as specified in the lockdown guide, then Tomcat should not be directly accessible.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 27, 2014 Jun 27, 2014

Copy link to clipboard

Copied

Has there been any update from Adobe on when they're going to update the modified version of Tomcat that's included with CF 10? It's now almost July, and I've been having to tell our client's security officers for months that Adobe hasn't upgraded, and CF 10 is not passing the security scan.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Jun 29, 2014 Jun 29, 2014

Copy link to clipboard

Copied

LATEST

+1

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation