Adobe issues emergency patch for critical ColdFusion vulnerabilities

Users are being urged to update their builds to resolve three serious security flaws

Adobe has released an out-of-band patch to quickly resolve a trio of security vulnerabilities in ColdFusion, two of which are deemed critical.

Adobe said in a security advisory that ColdFusion 2016 and 2018 on all platforms are affected.

The web application development platform’s emergency patch, released on Tuesday (September 24), addresses potential malicious code execution, access control bypass, and data leaks.

The first vulnerability, and arguably the most dangerous, is CVE-2019-8073. The critical security flaw is a command injection weakness stemming from a “vulnerable component” that permits attackers to execute arbitrary code.

Adobe has also resolved CVE-2019-8074, described as a critical path traversal vulnerability. The exploitation of this security issue can lead to an access control bypass, which in turn may lead to code execution.

The third vulnerability resolved in the update is being tracked as CVE-2019-8072. Classified as a security bypass problem, if exploited by attackers, the flaw could be used for the purposes of information disclosure.

Adobe thanked cybersecurity researchers from Foundeo and Knownsec 404 for reporting the security issues.

ColdFusion users are urged to upgrade their software as soon as possible. ColdFusion 2016 users should accept Update 12, whereas ColdFusion 2018 users should upgrade to Update 5.

Patch bonanza

The ColdFusion fixes come hot on the heels of Microsoft’s own out-of-band emergency patch release this week, which resolves two critical security vulnerabilities.

The first bug, CVE-2019-1367, is a remote code execution (RCE) vulnerability in Internet Explorer.

Malicious websites can be used as the attack vector to trigger the flaw, leading to memory corruption, privilege escalation to the level of the current user, and arbitrary code execution.

The second vulnerability, CVE-2019-1255, is a denial-of-service (DoS) flaw in the antivirus service Microsoft Defender, caused by improper file handling.

According to Microsoft, “an attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries”.

This security issue is not as important as the first, given that attackers need access to a system and the ability to execute code to leverage the vulnerability.

YOU MIGHT ALSO LIKE OWASP reveals top 10 security threats facing API ecosystem