If you are using ColdFusion 11, we recommend following these mitigation steps:
- If you are using a web server, follow the instructions specified in the section Add a connector shared secret section of the lockdown guide.
- Set the address attribute on AJP connector to localhost/127.0.0.1/::1 if the web server and ColdFusion co-exist in same server.
- If they are residing on different machine, configure each ColdFusion instance with Tomcat IP address so that ColdFusion tomcat can be accessed over remote connector.
- <Connector port="8018" protocol="AJP/1.3" packetSize="65535" redirectPort="8451" tomcatAuthentication="false" maxThreads="500" connectionTimeout="60000" address="YOUR_TOMCAT_IP_ADDRESS"/>
- Change your firewall configuration such that only trusted hosts such as web server will be allowed to access the AJP connector.
- If you are using ColdFusion 11 built-in web server, comment out or remove the AJP connector from server.xml and restart the ColdFusion server.