Adobe has rushed out fixes for three vulnerabilities in its ColdFusion web development platform, two of which have been given the top billing of ‘critical’.
The flaws affect ColdFusion 2018 version 4 and earlier, and ColdFusion 2016 version 11 and earlier.
The first critical flaw is CVE-2019-8073, and is described as allowing “command injection via vulnerable component” leading to arbitrary code execution (ACE).
The second critical flaw is CVE-2019-8074, a path traversal vulnerability allowing an access control bypass.
The final vulnerability, rated ‘important’, is CVE-2019-8072, a security bypass leading to information disclosure.
Because this is an ‘out of band’ update – a polite way of saying it’s unexpected and urgent – Adobe offers only placeholder descriptions of their nature.
The solution is to look for ColdFusion 2018, update 5 (build 2018,0,05,315699), and ColdFusion 2016, Update 12 (build 2016,0,12,315717).
All three are credited to external researchers, (in above vulnerability order) ‘Badcode’ of the Knownsec 404 Team, Daniel Underhay of Aura Information Security, and Pete Freitag / Foundeo Inc.
Emergency fixes for ColdFusion products aren’t that common although it did receive one in March which, on that occasion, was being exploited in the wild.
While there’s no indication that’s happening with the latest flaws, they still deserve urgent attention.
Adobe’s next scheduled update (which may or may not contain new ColdFusion fixes) is due with Windows’ October Patch Tuesday on 8 October.
SL
Unfortunately the patch may break other things – especially nested outputs and loops. Make sure to read the comments at the bottom of the patch download page.