Adobe released security updates for three vulnerabilities in ColdFusion. Two vulnerabilities are rated critical for arbitrary code execution and one is rated important for information disclosure. Adobe ColdFusion is a rapid development platform used for building modern web applications.
As per the advisory, the vulnerabilities are outlined as follows:
- CVE-2019-8072 : An information disclosure vulnerability which allows an attacker to bypass security restrictions.
- CVE-2019-8073 : An arbitrary code execution vulnerability which can be triggered using command injection via a vulnerable component.
- CVE-2019-8074 : A path traversal vulnerability which allows an attacker to bypass access controls.
The critical vulnerabilities (CVE-2019-8073 and CVE-2019-8074) allow an attacker to execute arbitrary code and bypass access controls. In some cases, it is also possible for an attacker to take complete control of the server. The other information disclosure vulnerability CVE-2019-8072 is rated important and allows an attacker to bypass security restrictions. However, there are no known instances of exploitation of these vulnerabilities by malwares or threat groups.
Adobe has released updates to fix these vulnerabilities. It is also important to note that the server continues to be vulnerable when Adobe ColdFusion update is installed without a corresponding JDK. Adobe recommends updating the ColdFusion JDK/JRE to the latest version.
- Adobe ColdFusion 2018 Update 4 and earlier versions.
- Adobe ColdFusion 2016 Update 11 and earlier versions.
Successful exploitation will allows an attackers to execute arbitrary code and leak sensitive information.
Update to Adobe ColdFusion 2018 Update 5 or ColdFusion 2016 Update 12.