Adobe has released a critical security update that impacted Adobe ColdFusion and is assigned with a priority rating of 2. The Adobe Coldfusion Exploit found in the product affects ColdFusion versions 2016, 2018, and 2021 that would lead to arbitrary code execution. Using a patch management tool can emit these vulnerabilities.
The advisory published outlined the following information about the vulnerability:
- CVE-2021-21087: An Improper Input Validation vulnerability that allows an attacker to cause arbitrary code execution.
This critical vulnerability stems from an improper input validation which means the affected product failed to properly validate the input provided by the user, which would affect the control flow of the program. As a result, this would allow an attacker to execute arbitrary code. However, there are no known instances of exploitation of this vulnerability by malware or threat groups. However, a proper vulnerability management software is required.
Complete patching of Adobe Coldfusion Exploit
It is important to note that applying the ColdFusion update is not sufficient to secure the servers. Users should also update their JDK/JRE to the latest version of the LTS releases for 1.8 (JDK/JRE 8) and JDK 11 correspondingly. Moreover, the technotes found in the advisory have more details on applying these patches.
| Product | Updated Version | Platform | Priority rating | Availability |
|---|---|---|---|---|
| ColdFusion 2016 | Update 17 | All | 2 | Tech note |
| ColdFusion 2018 | Update 11 | All | 2 | Tech note |
| ColdFusion 2021 | Update 1 | All | 2 | Tech note |
Affected products in Adobe Coldfusion Exploit
- Adobe ColdFusion 2016 Update 16 and earlier versions.
- Adobe ColdFusion 2018 Update 10 and earlier versions.
- Adobe ColdFusion 2021 Version 2021.0.0.323925.
Impact
Successful exploitation allows attackers to execute arbitrary code.
Solution
Update to Adobe ColdFusion 2016 Update 17, ColdFusion 2018 Update 11 or ColdFusion 2021 Update 1 and apply a corresponding JDK/JRE update.
In addition, Adobe has released the patch for the vulnerability. It is recommended that the affected systems should be patched as soon as possible. Finally, SanerNow can detect these vulnerabilities.