Adobe Pushes Hotfix for ColdFusion

Adobe patched vulnerabilities in ColdFusion, LiveCycle Data Services and Premiere Clip for iOS.

Adobe this afternoon released hotfixes and security updates for three of its products that patch a handful of vulnerabilities, none of which are being publicly exploited.

The most serious vulnerabilities were in ColdFusion, Adobe’s web application development platform. The hotfix affects ColdFusion 11 Update 6 and earlier, and ColdFusion 10 Update 17 and earlier; users should upgrade to 11 Update 7 and 10 Update 18.

“This hotfix resolves two input validation issues that could be used in reflected cross-site scripting attacks,” Adobe said in its advisory. “This hotfix also includes an updated version of BlazeDS that resolves an important  server-side request forgery vulnerability.”

Adobe also released security updates for LiveCycle Data Services, affecting versions 4.7, 4.6.2, 4.5, 3.1 and 3.0.x on Windows, Mac OS X and UNIX machines. LiveCycle Data Services is Adobe’s application framework.

The update patches the same server-side request forgery vulnerability patched in ColdFusion (CVE-2015-5255) and also includes a new version of BlazeDS, a Java-based remote messaging feature included in both products. James Kettle of PortSwigger Web Security is credited with reporting the issue to Adobe.

Finally, Adobe released a security update for Premiere Clip for iOS, patching an input validation vulnerability in versions 1.1.1 of the mobile video-editing application.

This is the second ColdFusion and LiveCycle Data Services update since August, when Adobe patched the products twice in a nine-day period.


Suggested articles