Symantec has recently discovered a trojan/worm-ish thing that threatens application servers running Apache Tomcat. It seems to follow the typical command & control pattern with control servers having been found in Taiwan and Luxembourg so far.
This threat is using a very specific attack vector by trying to spread via the Apache Tomcat Managers
and their (quite often unchanged) weak passwords and the weak users/passwords Apache Tomcat ships with as (commented and not by default active) examples . If it’s successful, it’ll try to deploy itself as a servlet and the cycle restarts.
You can prevent the whole thing from happening if you either have disabled the Manager applications or have setup users with non-default, strong passwords. The file to check is tomcat-users.xml and its content.
Why is this even interesting for Adobe ColdFusion and Railo users? Mainly because a lot of people run their CFML servers on Apache Tomcat. There are various use cases of which you should be aware of:
a) Adobe ColdFusion 9 as a single server install is safe from this attack as it’d be using JRun. In Adobe ColdFusion 9 Tomcat deployment was never properly supported officially, but certainly doable through custom .war deployments. If you did that, it’s quite likely that you might be running a full version of Apache Tomcat and that you might be vulnerable, depending on your setup (see above).
b) Adobe ColdFusion 10 comes with a preinstalled and embedded Tomcat instance if you do a single server install. That could theoretically expose you. However, I’ve checked an install I’m running on OS X and it seems that there are no users and roles enabled in the configuration either. Again, if you’ve done a custom J2E deployment on your own Tomcat – make sure you check that and know what you’re doing.
c) Current Railo 4 installers and custom installs: The installers are all very safe and secure by default, there haven’t been any modifications to the users/role setup. The current 4.1 installers don’t even install the Tomcat-own webapps. If you used a vanilla Tomcat from Apache’s website and dropped Railo into that as a .war/.jar file you’ll be fine, too, as there are no users enabled for the Tomcat Manager apps.
The essence is: by default you should be fine according to what I’ve seen. If you’ve modified your Apache Tomcat setup in any way, please make sure you’re staying safe as well. Not to forget that the full credit for making me aware of the Tomcat threat in the first place goes to Jordan Michaels.
Updated (29/11/2013): Changed the wording in 2nd paragraph.