OpenSSL and ColdFusion / Lucee / Tomcat

I've had a several people asking me about the openssl vulnerabilities that were patched this week: CVE-2022-3602 and CVE-2022-3786 aka Spooky SSL.

ColdFusion / Lucee and OpenSSL

As far as I know both ColdFusion and Lucee do not use openssl for any of its crypto operations by default. Both ColdFusion and Lucee use the Java Cryptographic Extension (JCE) layer which provides an api to access crypto algorithm implementations. Adobe ColdFusion Enterprise is using RSA BSafe CryptoJ provider, which has FIPS compliant implementations of many crypto algorithms. The standard version, and Lucee would likely just use the default provider that ships with java.

Adobe's Product Support Manager mentioned on the CFML slack on November 4, 2022 that Adobe ColdFusion is not impacted:

Hi All, Just want to update everyone that CF is not impacted by OpenSSL vulnerability.

Tomcat and OpenSSL

Tomcat - which ships with ColdFusion, can actually use openssl libraries to provide a SSL / TLS / HTTPS connector for the tomcat web server. This feature is called Tomcat Native. So if you have Tomcat configured with SSL/TLS you should check and see if it is using Tomcat Native with the OpenSSL Library. You would see something like this in your catalina.out file:

01-Nov-2022 10:22:42.105 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.4-dev 3 May 2022]

If you find that you are using OpenSSL version 3, you need to upgrade to the most recently patched version of OpenSSL 3. From the OpenSSL Security Advisory:

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Or you can also remove the Tomcat Native AprLifecycleListener from your server.xml file:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

It appears that you can alternatively set UseOpenSSL="false" on the <Listener> tag of the AprLifecycleListener.

After making one of the above changes, double check your tomcat logs and make sure OpenSSL 3 is no longer output on server startup.

IIS and OpenSSL

IIS uses MSCAPI to perform crypto operations, so you should be ok at the web server level if you are using IIS.

Apache or nginx and OpenSSL

Most linux based web servers such as Apache or nginx would be using OpenSSL, however there is a good chance that your server is not using Openssl 3 yet. You can check the version of openssl installed by running:

openssl version

Check the list of software affected / unaffected

Here is a handy list of software that has been marked as vulnerable or not vulnerable to this issue.

Disclaimer: The content (and links) on this page are provided as is, without warranty of any kind. Use at your own risk. You should consult with your software vendors to ensure that you are properly protected.