I’ve had a a number of folks asking me concerning the openssl vulnerabilities that have been patched this week: CVE-2022-3602 and CVE-2022-3786 aka Spooky SSL.
ColdFusion / Lucee and OpenSSL
So far as I do know each ColdFusion and Lucee don’t use openssl for any of its crypto operations by default. Each ColdFusion and Lucee use the Java Cryptographic Extension (JCE) layer which offers an api to entry crypto algorithm implementations. Adobe ColdFusion Enterprise is utilizing RSA BSafe CryptoJ supplier, which has FIPS compliant implementations of many crypto algorithms. The usual model, and Lucee would probably simply use the default supplier that ships with java.
Adobe’s Product Help Supervisor talked about on the CFML slack on November 4, 2022 that Adobe ColdFusion isn’t impacted:
Hello All, Simply wish to replace everybody that CF isn’t impacted by OpenSSL vulnerability.
Tomcat and OpenSSL
Tomcat – which ships with ColdFusion, can truly use openssl libraries to supply a SSL / TLS / HTTPS connector for the tomcat net server. This characteristic is known as Tomcat Native. So if in case you have Tomcat configured with SSL/TLS it’s best to test and see whether it is utilizing Tomcat Native with the OpenSSL Library. You’ll see one thing like this in your catalina.out file:
01-Nov-2022 10:22:42.105 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL efficiently initialized [OpenSSL 3.0.4-dev 3 May 2022]
In the event you discover that you’re utilizing OpenSSL model 3, it’s worthwhile to improve to probably the most lately patched model of OpenSSL 3. From the OpenSSL Safety Advisory:
OpenSSL 3.0 customers ought to improve to OpenSSL 3.0.7.
OpenSSL 1.1.1 and 1.0.2 aren’t affected by this difficulty.
Or you can even take away the Tomcat Native AprLifecycleListener out of your server.xml file:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
It seems which you could alternatively set UseOpenSSL="false" on the <Listener> tag of the AprLifecycleListener.
After making one of many above modifications, double test your tomcat logs and ensure OpenSSL 3 is not output on server startup.
IIS and OpenSSL
IIS makes use of MSCAPI to carry out crypto operations, so you ought to be okay on the net server stage if you’re utilizing IIS.
Apache or nginx and OpenSSL
Most linux primarily based net servers reminiscent of Apache or nginx can be utilizing OpenSSL, nonetheless there’s a good likelihood that your server isn’t utilizing Openssl 3 but. You may test the model of openssl put in by operating:
openssl model
Examine the listing of software program affected / unaffected
Here’s a useful listing of software program that has been marked as susceptible or not susceptible to this difficulty.
Disclaimer: The content material (and hyperlinks) on this web page are offered as is, with out guarantee of any type. Use at your individual threat. You need to seek the advice of along with your software program distributors to make sure that you’re correctly protected.
OpenSSL and ColdFusion / Lucee / Tomcat was first printed on November 02, 2022.
