Copy link to clipboard
Copied
Hello,
McAfee Scan Alert is reporting that Tomcat version 7.0.23.0 is not pci compliant.
We're on CF10 and just updated to update 12.
We've read in another thread that Tomcat is specialized for CF and that
CF should be updating Tomcat as needed.
The complete Scan Alert warning is:
Scan indicates that you are using a vulnerable version of apache tomcat web server. The version of tomcat deployed on this web server may be outdated and vulnerable to a host of issues (including but not limited to)
- denial of service attacks
- directory traversal
- default admin passwords
- execution of code by arbitrary file uploads
- bypassing of access restrictions
- cross-site scripting
- session fixation
- bypass of CSRF prevention filter
Thanks in advance,
-Mike
Yes, Steve, if your site is running on the built-in server (something that Adobe only suggests for development, and never in production), then Tomcat would be directly accessible. If CF is running on Apache or IIS, with the lockdown procedures in place as specified in the lockdown guide, then Tomcat should not be directly accessible.
Copy link to clipboard
Copied
I am sure Mike you/me/ and every CF user will get a notification ( public blog) once the version of Tomcat will be upgraded
Copy link to clipboard
Copied
I'm slightly confused. With the old pre-Tomcat version of CF, you could "usually" upgrade to the latest and greatest Java runtime. Is that no longer the case?
Copy link to clipboard
Copied
Hi Steve,
I read that information from:
http://blogs.coldfusion.com/post.cfm/what-s-the-deal-with-tomcat-in-coldfusion-10
>Yes, the in-built server in ColdFusion 10 is a modified version of Tomcat.
...
>That’s all good, but how do I upgrade the in-built Tomcat, in case Tomcat comes out with a critical fix or a security fix?
>Well, ColdFusion 10 now has an amazing delivery mechanism with hotfix notification and installer. We will use the same infrastructure to keep
>the Tomcat engine updated. CF-Tomcat update should be available soon after Tomcat comes out with any critical fix. We will also make the >same available for you to download and use.
Copy link to clipboard
Copied
That is somewhat alarming to read and puts the breaks on a CF9-->CF10 project we have. Being a payment gateway we are very sensitive to reported vulnerabilities and getting them patched or plugged ASAP -- for both PCI and the fact that we have a lot on the line. If Adobe's JRUN patching timeframes are any indication of Adobe's Tomcat patching timeframes, this will be a non-starter for us with CF10 and above. With CF9 it was (is) easy to upgrade the JAVA runtime to the latest that Oracle has to offer. Ugh!
Copy link to clipboard
Copied
I just had a fresh server built with CF10 and all the latest Adobe patches applied:
Not good! Version 7.0.23.0 was released 11/25/2011 -- over 2 years ago!!! No wonder the PCI scan is failing. Adobe, why do you bother with statements like "CF-Tomcat update should be available soon after Tomcat comes out with any critical fix" in your marketing material?
Mike, why did you start this thread? I was perfectly happy in my ignorant bliss.
Copy link to clipboard
Copied
Sorry Steve
It's surprising that this hasn't gotten more attention.
I need to take an hour or two in the next couple days and try to call them.
Hard to find a phone number for support these days.
Copy link to clipboard
Copied
I've been escalating through various channels and I have a conference call setup next week with some people at Adobe. Hopefully that call will reap some good news.
Copy link to clipboard
Copied
Ok. I had the conference call and here is what I found out. To the immediate question, CF10 will have an updated Tomcat mid to late this year. They (Adobe people) had some configuration questions about the environment that was scanned. I could not answer that as I'm going on second hand information. Their question was, what web server is being used: IIS, Apache, or stand-alone CF server. They suspect the stand-alone server because under IIS or Apache, the Tomcat version that CF is using should not be a factor nor even visible to the scanner. We this a stand-alone CF server, meaning was CF acting as the web server? A second guess was that proper lock-downs were not applied to the server as, like previously mentioned, the CF Tomcat should not be visible to the scanner.
These were guesses and I'm working to confirm this theory because like I previously stated, my company is VERY security conscience. Adobe has committed to work with us and our scanning vendor directly if our testing determines it is an issue for us. I feel much better since the conf call. Thanks Adobe.
Copy link to clipboard
Copied
Yes, Steve, if your site is running on the built-in server (something that Adobe only suggests for development, and never in production), then Tomcat would be directly accessible. If CF is running on Apache or IIS, with the lockdown procedures in place as specified in the lockdown guide, then Tomcat should not be directly accessible.
Copy link to clipboard
Copied
Has there been any update from Adobe on when they're going to update the modified version of Tomcat that's included with CF 10? It's now almost July, and I've been having to tell our client's security officers for months that Adobe hasn't upgraded, and CF 10 is not passing the security scan.
Copy link to clipboard
Copied
+1