Adobe Patches Four ColdFusion Flaws Exploited in Wild

Adobe delivered a security hotfix for its ColdFusion application server today, repairing a host of vulnerabilities being exploited in the wild.The company had recommended a series of mitigations in a Jan. 7 advisory as a stopgap until today’s hotfix was released.

Coldfusion patch Adobe delivered a security hotfix for its ColdFusion application server today, repairing a host of vulnerabilities being exploited in the wild.

The company had recommended a series of mitigations in a Jan. 7 advisory as a stopgap until today’s hotfix was released.

Two of the vulnerabilities affect ColdFusion 10, 9.0.2, 9.0.1 and 9.0, while the other two do not impact version 10; the hotfix is for Windows, Mac OS X and UNIX.

“This hotfix addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server,” Adobe said in its advisory.

The hotfix repairs two authentication bypass vulnerabilities (CVE 2013-0625 and CVE-201-0632), a directory traversal (CVE-2013-0629) and a data leakage vulnerability (CVE-2013-0631)

“Note that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled, or have no password set,” Adobe said in its advisory. All of the vulnerabilities were given Adobe’s most critical rating.

Adobe, meanwhile, had recommended a series of mitigations that included building credentials for Remote Development Services that are different from those used for the administrator account, and then disabling RDS. Also, users were asked to deny access from outside to directories: /CFIDE/administrator; /CFIDE/adminapi; and /CFIDE/componentutils.

Adobe also recommended any unknown or unnecessary ColdFusion components or templates should be removed from the CFIDE or webroot directories.

Suggested articles

Massive Malspam Campaign Targets Unpatched Systems

Morphisec said that it has detected several malicious word documents – part of a “massive” malspam campaign – that takes advantage of a critical Adobe Flash Player vulnerability discovered earlier this month.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.