OpenSSL and ColdFusion / Lucee / Tomcat
By Pete Freitag
I've had a several people asking me about the openssl vulnerabilities that were patched this week: CVE-2022-3602 and CVE-2022-3786 aka Spooky SSL.
ColdFusion / Lucee and OpenSSL
As far as I know both ColdFusion and Lucee do not use openssl for any of its crypto operations by default. Both ColdFusion and Lucee use the Java Cryptographic Extension (JCE) layer which provides an api to access crypto algorithm implementations. Adobe ColdFusion Enterprise is using RSA BSafe CryptoJ provider, which has FIPS compliant implementations of many crypto algorithms. The standard version, and Lucee would likely just use the default provider that ships with java.
Adobe's Product Support Manager mentioned on the CFML slack on November 4, 2022 that Adobe ColdFusion is not impacted:
Hi All, Just want to update everyone that CF is not impacted by OpenSSL vulnerability.
Tomcat and OpenSSL
Tomcat - which ships with ColdFusion, can actually use openssl libraries to provide a SSL / TLS / HTTPS connector for the tomcat web server. This feature is called Tomcat Native. So if you have Tomcat configured with SSL/TLS you should check and see if it is using Tomcat Native with the OpenSSL Library. You would see something like this in your catalina.out file:
01-Nov-2022 10:22:42.105 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.4-dev 3 May 2022]
If you find that you are using OpenSSL version 3, you need to upgrade to the most recently patched version of OpenSSL 3. From the OpenSSL Security Advisory:
OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Or you can also remove the Tomcat Native AprLifecycleListener from your
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
It appears that you can alternatively set
UseOpenSSL="false" on the
<Listener> tag of the AprLifecycleListener.
After making one of the above changes, double check your tomcat logs and make sure OpenSSL 3 is no longer output on server startup.
IIS and OpenSSL
IIS uses MSCAPI to perform crypto operations, so you should be ok at the web server level if you are using IIS.
Apache or nginx and OpenSSL
Most linux based web servers such as Apache or nginx would be using OpenSSL, however there is a good chance that your server is not using Openssl 3 yet. You can check the version of openssl installed by running:
Check the list of software affected / unaffected
Here is a handy list of software that has been marked as vulnerable or not vulnerable to this issue.
Disclaimer: The content (and links) on this page are provided as is, without warranty of any kind. Use at your own risk. You should consult with your software vendors to ensure that you are properly protected.
OpenSSL and ColdFusion / Lucee / Tomcat was first published on November 02, 2022.
If you like reading about coldfusion, lucee, security, tomcat, or openssl then you might also like:
- Spring4Shell and ColdFusion
- Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
- Scope Injection in CFML
- J2EE Sessions in CF10 Uses Secure Cookies
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.