Adobe has issued an urgent out-of-band patch for a critical flaw in the ColdFusion web development platform it says is being exploited in the wild.
The company’s APSB19-14 bulletin is light on detail but describes the issue as a “file upload restriction bypass” affecting ColdFusion 2018 update 2 and earlier, 2016 update 9 and earlier, and 17 and earlier:
This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.
Who’s affected?
According to a blog by one of those credited by Adobe for reporting the issue, Charlie Arehart, updating should be a particular concern to ColdFusion servers that allow file uploads to a web-accessible folder, have any code that does the same in ColdFusion Markup Language (CFML), and have not disallowed files with server-executable extensions.
Wrote Arehart:
I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don’t want this to happen to you.
Cybercriminals have a history of developing exploits for the platform, aware perhaps that not all admins get around to patching it as quickly as they should.
A salient example was last September’s update fixing critical flaws, APSB18-33 (CVE-2018-15061) which an APT group reportedly targeted with an exploit made possible by weak patching.
In 2014, another vulnerability was exploited to hack websites belonging to car company Citroen.
What to do
Identified as CVE-2019-7816, the solution is to update to ColdFusion 2018 update 3, 2016 Update 10, or 11 Update 18 through the product’s server update admin feature.
Adobe recently updated ColdFusion on 12 February and should do so again on 12 March as part of Patch Tuesday if any new fixes are in the pipeline.
verdonv
Cold Fusion still exists?
Mark Stockley
That’s what I thought!
cfcoldfusion cfis cfan cfobject cflesson cfin cfhow cfto cfmake cfthings cfannoying cfand cfunnecessarily cfhard cfto cfread.
carehart
John, thanks for the info.
That said, I would question your last point, that “Adobe recently updated ColdFusion on 12 February and will do so again on 12 March as part of the Patch Tuesday schedule.” Adobe doesn’t follow a “patch Tuesday schedule” for CF. Sometimes there can be a couple of months between updates. In a case like this one, it was indeed released as an emergency update. Hope that may help some readers.
John E Dunn
Fair point – I meant that they follow a PT schedule where patches are available. As you say, that’s not every month. Tweaked.
carehart
Mark and verdon, I understand the derision. It seems to be a sport for some, when they hear of CF.
Yes, it’s still in use. By tens of thousands of organization. (A google search of filetype:cfm shows over 183 million results–and that’s not counting those who use URLs that do not reference the file extension, nor those used in sites not publicly available.)
And it’s been updated every two years, most recently CF2018, with CF2020 in the works. So really, it’s not “dead”, despite what many in IT may say.
And sure, I realize some will chide those using it. Everyone has their favorites, or their long-held reasons against something. Often, it reflect really old info. I see it whenever the subject of debating CF’s vitality comes up.
To Mark’s quip about tags, for instance, you have been able to write cfscript (which looks like any scripting language) for over a decade, and since 2014 you could write templates entirely in it (no tags at all, if you prefer).
And before one may use this vuln as a case in point about its “poor security”, I’ll note that before this one, it hasn’t had a zero day since 2012, which is saying something.
Of course I could offer a retort to many contentions, as I am in this space. I won’t belabor the point, and I hope this won’t became a place where we have to have the debate again. (It’s been done to death many times elsewhere.)
I’m just saying that those who wan to declare it dead, or its users brain-dead, please just think twice before spreading the same old tired jokes and misinformation.
Hope that’s helpful to some readers.
verdonv
@carehart, I honestly had no idea it was still in active development. I enjoyed working with it for a couple projects a decade or so ago. It hasn’t crossed my radar in a while. No offence was meant :-)
rushglen
Allowing file uploads to a web accessible directory should be a big “NO” in any language, and No, Cold Fusion is far from dead and there are several thriving alternatives if you google “cfml alternatives”.