How to upgrade Apache Tomcat on a ColdFusion 10 server running Windows.

Upgrading Apache Tomcat on a Coldfusion 10 server.  Our company recently revived a security notification about a possible vulnerability. The vulnerability is called CVE-2019-0232 . The recommendation is to upgrade from our current Tomcat 7.0.75.0 to Tomcat version 7.0.94

Does anybody know if doing a manual upgrade is possible on Coldfusion 10 on Windows? Or is it best to wait for Adobe to release a patch? I'm skeptical that Adobe will do much about this anytime soon.
Garbonzo_HorowitzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Tomcat is an Apache product.

Doubtful any patch for this will come from Adobe, unless you somehow used an Adobe installer for Tomcat... which seems unlikely...
_agx_Commented:
@David Favor - Adobe bundles Tomcat as a built-in development webserver for CF 10+.  One question I had after reading this article was whether Tomcat was still vulnerable if the cgi servlet is not enabled, do you happen to know?

@Garbonzo_Horowitz
CF10 was EOL'd as of May 2017, so no more security patches.  Adobe has pushed Tomcat upgrades in updates for CF 11, 2016, etc.. For example, CF 2016,0,10,314028  is running 8.5.32.0.  Since it's a custom install, I'm not sure how of if you can update it easily. You may have to upgrade CF, which would be a good idea anyway since it's no longer supported.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
@_agx_, Ah... That would explain the Tomcat + Adobe connection. Thanks for the clarification.

@Garbonzo_Horowitz, Likely Adobe will be the best contact point on this. If you try to manually update anything, this may break some future update package from Adobe.

Likely best to go with _agx_ suggestion about updating to CF11 also. Doing this update may pull in Tomcat security fixes.

If I were in this situation, I'd likely do a update to latest Tomcat + CF, then if Tomcat was still downleveled, open a support ticket with Adobe for them to update to latest Tomcat.

I'm always a bit jittery about mucking around with custom installers, like what _agx_ described.
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

_agx_Commented:
... unfortunately CF11 is EOL'd at the end of the month, so if you do upgrade go with the latest 2018 (or second choice 2016)
https://helpx.adobe.com/support/programs/eol-matrix.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Garbonzo_HorowitzAuthor Commented:
Thank you both for the input. Upgrading to the latest CF version would seem like the only option reasonable option however even Adobe's documentation for CF 2018 has an affected tomcat version. https://helpx.adobe.com/pdf/coldfusion2018-support-matrix.pdf  Notice that it only says Tomcat 9. I also found an old thread that says not to worry about this if you are using IIS instead of the "Built-In" server. https://forums.adobe.com/thread/1378716 Thanks again for your help!!!
_agx_Commented:
Interesting, though what I find a little curious is that Tomcat came up in a scan at all.  Like that thread mentioned, it shouldn't be accessible IF the lockdown procedures were applied.  

Granted the CVE also mentioned the vulnerability was related to the CGI servlet, which is usually disabled by default in the bundled built-in server.  So it's possible it's a non-issue, but I can't say for certain.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.