Adobe Unscheduled Update Fixes Critical ColdFusion Flaws

Overall, Adobe released three patches – one for an “important” flaw and two for critical flaws –in the 2016 and 2018 versions of ColdFusion.

Adobe has issued an unscheduled security update that fixes two critical flaws in its ColdFusion product. The critical vulnerabilities could enable an attacker to either execute arbitrary code or bypass access control on impacted systems.

Overall, Adobe released three patches – one for an “important” flaw and two for critical flaws –in the 2016 and 2018 versions of the ColdFusion commercial rapid web-application development platform.

“Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin,” said Adobe in its Tuesday alert.

The two critical flaws are a command injection vulnerability, stemming from a “vulnerable component” (CVE-2019-8073) that could enable arbitrary code execution; and a path traversal vulnerability (CVE-2019-8074) that could allow an attacker to bypass access control. The flaws were discovered by researchers with the Knownsec 404 Team and Daniel Underhay of Aura Information Security.

The important flaw (CVE-2019-8072) meanwhile is a security bypass that could allow information disclosure, discovered by Pete Freitag with Foundeo Inc.

Impacted are Update 4 and earlier versions of ColdFusion 2018, as well as Update 11 and earlier versions of ColdFusion 2016. Users are encouraged to update to ColdFusion 2018 Update 5 and ColdFusion 2016 Update 12.

The updates have a priority rating of 2, meaning that it addresses “vulnerabilities in a product that has historically been at elevated risk.” There are currently no known exploits for these flaws.

The patches are not part of Adobe’s scheduling for its security updates on the first Tuesday of every month. The regularly-scheduled security update was released earlier in September and issued patches for critical vulnerabilities in Flash Player which, if exploited, could lead to arbitrary code execution.

On Monday of this week, Microsoft also released out-of-band security updates addressing two vulnerabilities – including an Internet Explorer zero-day vulnerability being actively exploited in the wild.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles