Adobe has released a critical security update that impacted Adobe ColdFusion and is assigned with a priority rating of 2. The Adobe Coldfusion Exploit found in the product affects ColdFusion versions 2016, 2018, and 2021 that would lead to arbitrary code execution.
- CVE-2021-21087: An Improper Input Validation vulnerability that allows an attacker to cause arbitrary code execution.
This critical vulnerability stems from an improper input validation which means the affected product failed to properly validate the input provided by the user, which would affect the control flow of the program. As a result, this would allow an attacker to execute arbitrary code. However, there are no known instances of exploitation of this vulnerability by malware or threat groups.
Complete patching of CVE-2021-21087
It is important to note that applying the ColdFusion update is not sufficient to secure the servers. Users should also update their JDK/JRE to the latest version of the LTS releases for 1.8 (JDK/JRE 8) and JDK 11 correspondingly. The technotes found in the advisory have more details on applying these patches.
|Product||Updated Version||Platform||Priority rating||Availability|
|ColdFusion 2016||Update 17||All||2||Tech note|
|ColdFusion 2018||Update 11||All||2||Tech note|
|ColdFusion 2021||Update 1||All||2||Tech note|
Affected products in Adobe Coldfusion Exploit
- Adobe ColdFusion 2016 Update 16 and earlier versions.
- Adobe ColdFusion 2018 Update 10 and earlier versions.
- Adobe ColdFusion 2021 Version 2021.0.0.323925.
Successful exploitation allows attackers to execute arbitrary code.
Update to Adobe ColdFusion 2016 Update 17, ColdFusion 2018 Update 11 or ColdFusion 2021 Update 1 and apply a corresponding JDK/JRE update.