Adobe has released an update to clean up a trio of vulnerabilities in ColdFusion, its long-running web application platform.
The security update addresses three CVE-listed vulnerabilities discovered in both ColdFusion 2016 and ColdFusion 2018. Two of the bugs open up the software to critical remote code execution risks, while the third flaw allows less serious information disclosure.
The first of the critical bugs has been assigned CVE-2019-8073. The flaw is described as a command injection issue that would allow an attacker to execute arbitrary code on the vulnerable system. Discovery of the flaw was credited to Badcode of bug-hunting crew Knownsec 404 Team.
It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixesREAD MORE
The second of the critical bugs is designated as CVE-2019-8074 and is a path traversal vulnerability that allows code execution by bypassing access controls (as in there is nothing to stop commands from being executed). It was discovered and reported to Adobe by Daniel Underhay of Aura Information Security. Ben Reid of Techlegalia Pty. and Pete Freitag of Foundeo were also credited with helping to report the vulnerability.
The third flaw, dubbed CVE-2019-8072, is classified as an information disclosure vulnerability, but is described as a security bypass. Because it wouldn't on its own allow for arbitrary code execution, the vulnerability is not considered a critical risk, but whenever there is a security bypass exposed, patching is a very good idea. Discovery was credited to Pete Freitag from Foundeo.
Those using ColdFusion 2018 will want to get the Update 5 release, while those using ColdFusion 2016 should get Update 12 to patch up the bugs, as well as make sure they have JDK 8u121 or higher. For both versions, Adobe recommends admins also get the latest version of JDK/JRE in order to ensure the patches are properly installed.
Adobe's next scheduled update is set to take place on October 8, when it will join Microsoft and SAP in dropping the monthly Patch Tuesday security update. ®