Adobe released security updates for three vulnerabilities in ColdFusion. Two vulnerabilities rated critical for arbitrary code execution and one rated important for information disclosure. This is done by using a vulnerability management tool. Adobe ColdFusion is a rapid development platform used for building modern web applications.
As per the advisory, the vulnerabilities outlined as follows:
- CVE-2019-8072 : An information disclosure vulnerability which allows an attacker to bypass security restrictions.
- CVE-2019-8073 : An arbitrary code execution vulnerability which triggered using command injection via a vulnerable component.
- CVE-2019-8074 : A path traversal vulnerability which allows an attacker to bypass access controls.
The critical vulnerabilities (CVE-2019-8073 and CVE-2019-8074) allow an attacker to execute arbitrary code and bypass access controls. In some cases, it is also possible for an attacker to take complete control of the server. The other information disclosure vulnerability CVE-2019-8072 rated important and allows an attacker to bypass security restrictions. However, there are no known instances of exploitation of these vulnerabilities by malwares or threat groups. A patch management solution can patch these vulnerabilities.
Adobe has released updates to fix these vulnerabilities. It is also important to note that the server continues to be vulnerable when this update installs without a corresponding JDK. Adobe recommends updating the ColdFusion JDK/JRE to the latest version.
Affected products
- Adobe ColdFusion 2018 Update 4 and earlier versions.
- Adobe ColdFusion 2016 Update 11 and earlier versions.
Impact
Successful exploitation will allows an attackers to execute arbitrary code and leak sensitive information.
Solution
Update to Adobe ColdFusion 2018 Update 5 or ColdFusion 2016 Update 12.