Adobe fixed three serious vulnerabilities in ColdFusion

Adobe has fixed three serious vulnerabilities in the ColdFusion rapid development platform. Two bugs have a critical level of danger and allow remote code execution, as well as bypass access control mechanisms.

The remaining vulnerability is rated as important and is associated with the possibility of unauthorized disclosure of information.

Problems affect both current versions of the product and are closed in the releases of ColdFusion 2018 Update 5 and ColdFusion 2016 Update 12. According to experts, the biggest threat is a bug registered as CVE-2019-8073.

“The error is related to the possibility of introducing third-party commands into vulnerable modules of the platform, which allows the cybercriminal to launch a malicious script on the target machine”, – reported in Adobe.

Adobe thanked the Badcode of Knownsec 404 information security team for their assistance in detecting this vulnerability.

Related Articles

Read also: Google has released an emergency update for Chrome

Daniel Underhay
Daniel Underhay

Another critical error in ColdFusion – CVE-2019-8073 – found Daniel Underhay, an expert at Aura Information Security. Vulnerability allows bypassing the mechanisms of access control to the platform and take control of the system. According to the developer, specialists from Techlegalia and Foundeo provided assistance in the study of this problem.

The CVE-2019-8072 vulnerability identified by IS analyst Pete Freitag is slightly less dangerous. The bug is connected with the possibility of bypassing ColdFusion protection mechanisms, which leads to unauthorized disclosure of confidential data.

The vendor recommends that owners of vulnerable systems install updates as soon as possible, updated versions of both platform options are available on the Adobe website. For security reasons, the developer has not yet disclosed the technical details of the identified deficiencies.

“The security updates referenced in the above Tech Notes require JDK 8u121 or higher (for ColdFusion 2016). Adobe recommends updating ColdFusion JDK / JRE to the latest version. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server”, – Adobe experts comment.

In early March, Adobe released a patch for a critical bug related to the ability to execute third-party code in the ColdFusion environment. According to experts, an attacker could download a malicious script into one of the directories on the platform server and remotely run it using HTTP request.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button