Addressing Tomcat Vulnerabilities.
Is there an update in the pipeline to address the vulnerabilities found within Tomcat or instructions on patching Tomcat to a new release? It is important for the user community to be proactively patching for vulnerabilities especially for front-end service like ColdFusion.
https://tomcat.apache.org/security-10.html#Apache_Tomcat_10.x_vulnerabilities
Newbie
1 posts
As you seem to realize, the implementation of tomcat underlying cf is entirely something Adobe controls: we can’t change it ourselves. And it’s fair to say that it’s always a bit behind (one or two tomcat updates), sometimes quite a bit (a few updates). Usually the major version of tomcat does not change except between new cf versions (and even then, not always).
And we can assume that Adobe is well aware of this situation and sometimes are just slow to respond to updating even minor tomcat point releases for us, even when they may offer security fixes. It’s simply sad but true, and we can’t do it on our own.
.So basically yes, we can expect that there is an update “in the pipeline”. We just can’t know when it will come, if soon, or even in the next cf update.
This is a known state of affairs. I’m just stating it for you, as someone wondering about it.
Coldfusion running on Tomcat 9 not Tomcat 10.
You must be logged in to post a comment.
23 Nov
10AM Pacific
Online
