Adobe has released patches fixing six critical vulnerabilities in its ColdFusion product that could lead to arbitrary code-execution.
The flaws impact Adobe’s ColdFusion product, which is the company’s commercial web application development platform. Impacted are the 2016 (Update 6 and earlier versions) and the July 12 (2018) release of ColdFusion, as well as ColdFusion 11 (Update 14 and earlier versions).
Overall, Adobe said ColdFusion contained nine flaws, including four critical deserialization of untrusted data flaws that could lead to arbitrary code-execution (CVE-2018-15965, CVE-2018-15957, CVE-2018-15958 and CVE-2018-15959). Additional flaws included one critical unrestricted file upload bug that could also lead to arbitrary code-execution (CVE-2018-15961) and one critical vulnerability that could enable arbitrary file-overwrite (CVE-2018-15960).
Other vulnerabilities include an important-severity security bypass glitch that allows arbitrary folder creation (CVE-2018-15963), an important directory listing flaw that could enable information disclosure (CVE-2018-15962), and a moderate information-disclosure vulnerability (CVE-2018-15964).
Adobe said it is not aware of any exploits in the wild for any of the issues addressed in the updates. The company recommends users update installations to ColdFusion 2018 Update 1, ColdFusion 2016 Update 7, and ColdFusion 11 Update 15.
“Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides,” the company said in an advisory published Tuesday.
In addition to ColdFusion, Adobe also released a security update for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. The update addresses an important-rated vulnerability in Adobe Flash Player Desktop Runtime, Flash Player for Google Chrome, and Flash Player for Microsoft Edge and Internet Explorer 11 – all for versions 30.0.0.154 and earlier.
The flaw (CVE-2018-15967) is a privilege-escalation vulnerability, the successful exploitation of which could lead to information disclosure. Adobe said that it is not aware of any exploits in the wild for the flaw; and users of impacted Adobe Flash Player versions should update to version 31.0.0.108.
This month’s 10 patches were on par with last month’s August Patch Tuesday for Adobe, where the company released 11 total fixes, including two critical patches for Acrobat and Reader. Exploitation of those vulnerabilities could lead to arbitrary code-execution in the context of the current user.
Last month, Adobe also issued two unscheduled updates – including for two critical flaws that could enable remote code-execution in Photoshop CC and a second unscheduled update to address a bug with a publicly available proof-of-concept code in the wild.
