Adobe is recommending ColdFusion users apply a series of mitigations to counter active exploits against vulnerabilities in the application server. An advisory was released late Friday night that the trio of flaws are being targeted by attackers, and that the company would not have a patch available for another week.
“We are in the process of finalizing a fix for the issues and expect a hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX will be available on January 15, 2013,” the advisory said.
Two of the vulnerabilities affect ColdFusion 10, 9.0.2, 9.0.1 and 9.0. The first, CVE-2013-0625, could enable an attacker to bypass authentication in place and remotely control a ColdFusion server. CVE-2013-0629, could allow an attacker to access restricted directories on a vulnerable server.
The third vulnerability, CVE-2013-0631, affects versions 9.0.2, 9.0.1 and 9.0 and could lead to a data leak.
“Note that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled, or have no password set,” Adobe said in its advisory.
All of the vulnerabilities were given Adobe’s most critical rating.
Adobe, meanwhile, recommends a series of mitigations. The first, Adobe said, is to build credentials for Remote Development Services that are different from those used for the administrator account. Once those credentials are configured, Adobe recommends disabling RDS.
Users should also disable access from the outside to three directories: /CFIDE/administrator; /CFIDE/adminapi; and /CFIDE/componentutils, Adobe said.
Any unknown or unnecessary ColdFusion components or templates should be removed from the CFIDE or webroot directories.
Access control restrictions for the administrator interface and internal applications via the Administrator Console in version 10 should be implemented as we ll as within in the Web server’s access control mechanisms for versions 9.0.2 and earlier.
Adobe also recommends users apply the latest hotfix available for ColdFusion.