If you are using ColdFusion 11, we recommend following these mitigation steps:

  1. If you are using a web server, follow the instructions specified in the section Add a connector shared secret section of the lockdown guide.
  2. Set the address attribute on AJP connector to localhost/127.0.0.1/::1 if the web server and ColdFusion co-exist in same server.
  3. If they are residing on different machine, configure each ColdFusion instance with Tomcat IP address so that ColdFusion tomcat can be accessed over remote connector.
  4. <Connector port="8018" protocol="AJP/1.3" packetSize="65535" redirectPort="8451" tomcatAuthentication="false" maxThreads="500" connectionTimeout="60000" address="YOUR_TOMCAT_IP_ADDRESS"/>
  5. Change your firewall configuration such that only trusted hosts such as web server will be allowed to access the AJP connector.
  6. If you are using ColdFusion 11 built-in web server, comment out or remove the AJP connector from server.xml and restart the ColdFusion server.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy