Adobe has issued an emergency patch for a critical vulnerability in its ColdFusion service that is being exploited in the wild.
The vulnerability, CVE-2019-7816, exists in Adobe’s commercial rapid web application development platform, ColdFusion. The ColdFusion vulnerability is a file upload restriction bypass which could enable arbitrary code execution.
“Adobe has released security updates for ColdFusion versions 2018, 2016 and 11,” according to the company’s security update. “These updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service.”
This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request, so restricting requests to directories where uploaded files are stored will mitigate the attack, Adobe said.
Impacted is ColdFusion 2018, update 2 and earlier; ColdFusion 2016, update 9 and earlier; and ColdFusion 11, update 17 and earlier versions. The security update has a priority 1 rating, meaning that it resolves vulnerabilities being targeted by exploits in the wild.
“Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours),” according to the company’s priority update page.
Charlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek, and Bridge Catalog Team were credited with discovering the vulnerability.
One of these researchers, Charlie Arehart, told Threatpost that he is still in discussions with Adobe PSIRT about what can be publicly released. In the meantime, no further details about the vulnerability or subsequent exploits have been released.
The emergency update comes a week after a separate unscheduled Adobe update, which fixed a critical zero-day vulnerability in Acrobat Reader. The zero-day vulnerability in Adobe Reader, disclosed by Alex Infuhr from cure53 in a Jan. 26 post, enabled bad actors to steal victims’ hashed password values, known as “NTLM hashes.”