Adobe has fixed three serious vulnerabilities in the ColdFusion rapid development platform. Two bugs have a critical level of danger and allow remote code execution, as well as bypass access control mechanisms.The remaining vulnerability is rated as important and is associated with the possibility of unauthorized disclosure of information.
Problems affect both current versions of the product and are closed in the releases of ColdFusion 2018 Update 5 and ColdFusion 2016 Update 12. According to experts, the biggest threat is a bug registered as CVE-2019-8073.
“The error is related to the possibility of introducing third-party commands into vulnerable modules of the platform, which allows the cybercriminal to launch a malicious script on the target machine”, – reported in Adobe.
Adobe thanked the Badcode of Knownsec 404 information security team for their assistance in detecting this vulnerability.
Another critical error in ColdFusion – CVE-2019-8073 – found Daniel Underhay, an expert at Aura Information Security. Vulnerability allows bypassing the mechanisms of access control to the platform and take control of the system. According to the developer, specialists from Techlegalia and Foundeo provided assistance in the study of this problem.
The CVE-2019-8072 vulnerability identified by IS analyst Pete Freitag is slightly less dangerous. The bug is connected with the possibility of bypassing ColdFusion protection mechanisms, which leads to unauthorized disclosure of confidential data.
The vendor recommends that owners of vulnerable systems install updates as soon as possible, updated versions of both platform options are available on the Adobe website. For security reasons, the developer has not yet disclosed the technical details of the identified deficiencies.
“The security updates referenced in the above Tech Notes require JDK 8u121 or higher (for ColdFusion 2016). Adobe recommends updating ColdFusion JDK / JRE to the latest version. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server”, – Adobe experts comment.