ColdFusion Hotfix Resolves XSS, Java Deserialization Bugs

Adobe released an important security hotfix for several versions of Coldfusion, resolving two bugs, Tuesday morning.

Adobe today released an important security hotfix for several versions of its ColdFusion rapid web application development platform.

The company said the update addresses an input validation vulnerability (CVE-2017-3008) in the software that could be used in reflected cross-site scripting (XSS) attacks.

The hotfix also includes an updated version of Apache BlazeDS to help mitigate Java deserialization (CVE-2017-2066).

The latest version of BlazeDS, a Java-based remote messaging feature, resolves a remote code execution issue disclosed by US-CERT earlier this month.

The bug, which also affected software by VMware and Atlassian, could have allowed an attacker to execute arbitrary code when deserializing an untrusted Java object in some scenarios. VMware fixed the bug in vCenter Server two weeks ago; Atlassian fixed the bug in JIRA several weeks back.

Markus Wulftange, a German pen-tester who found the bug last month, hinted the vulnerability could affect some applications developed by Adobe. He advised at the time that any applications running the vulnerable BlazeDS implementation migrate to the latest version, 4.7.3, to address the issue.

According to Adobe’s Security Bulletin, the hotfixes apply to Update 3 and earlier versions of ColdFusion’s 2016 release, Update 11 and earlier versions of ColdFusion 11, and Update 22 of ColdFusion 10. The company is encouraging customers to update ColdFusion, apply the requisite security configuration settings, and review Lockdown guides specific to their installation.

It’s the first security update for ColdFusion since last December when Adobe patched a vulnerability in the software that could have led to information disclosure.

While it’s not patched nearly as often as Flash or Reader, vulnerabilities in ColdFusion shouldn’t be overlooked. A group of hackers used a series of ColdFusion exploits to bypass authentication schemes in the software to hack companies in 2013. Cloud hosting company Linode revealed in April that year that it had been breached via a ColdFusion zero day. Attackers made off with the company’s database, source code, and customer’s encrypted credit card numbers and passwords.

The ColdFusion update is the second that Adobe has pushed out this month. The company patched nearly 60 vulnerabilities, including a host of code execution bugs – some dug up at this year’s Pwn2Own – across five products two weeks ago. Flash Player, Acrobat/Reader, Photoshop, Adobe Campaign, and the company’s Creative Cloud App all received updates as part of the regularly scheduled update.

Suggested articles