ALERT: Update Adobe ColdFusion for vulnerability

Monday, March 4, 2019

This information was sent to U-M IT staff groups on March 4, 2019. It is intended for U-M IT staff who are responsible for university computers running the Adobe ColdFusion web application development platform.

Summary

A critical vulnerability has been discovered in Adobe ColdFusion (a web application development platform) that could allow for arbitrary code execution. The vulnerability has been exploited in the wild. Install the updates provided by Adobe immediately after appropriate testing.

Problem

Successful exploitation of this vulnerability could result in an attacker executing arbitrary code in the context of the affected application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Affected Versions

  • ColdFusion 2018 (Update 2 and earlier versions)
  • ColdFusion 2016 (Update 9 and earlier versions)
  • ColdFusion 11 (Update 17 and earlier versions)

Action Items

Threats

Adobe is aware of a report that the vulnerability has been exploited in the wild.

Technical Details

The vulnerability is a file upload restriction bypass vulnerability that could allow to arbitrary code execution (CVE-2019-7816). The attack would require the ability to upload executable code to a web-accessible directory and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.