ALERT: Update Adobe ColdFusion for vulnerability
Monday, March 4, 2019
This information was sent to U-M IT staff groups on March 4, 2019. It is intended for U-M IT staff who are responsible for university computers running the Adobe ColdFusion web application development platform.
Summary
A critical vulnerability has been discovered in Adobe ColdFusion (a web application development platform) that could allow for arbitrary code execution. The vulnerability has been exploited in the wild. Install the updates provided by Adobe immediately after appropriate testing.
Problem
Successful exploitation of this vulnerability could result in an attacker executing arbitrary code in the context of the affected application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Threats
Adobe is aware of a report that the vulnerability has been exploited in the wild.
Affected Versions
- ColdFusion 2018 (Update 2 and earlier versions)
- ColdFusion 2016 (Update 9 and earlier versions)
- ColdFusion 11 (Update 17 and earlier versions)
Action Items
- Install the updates provided by Adobe immediately after appropriate testing. See Adobe Security bulletin: Security updates available for ColdFusion | APSB19-14 for links and details.
Technical Details
The vulnerability is a file upload restriction bypass vulnerability that could allow to arbitrary code execution (CVE-2019-7816). The attack would require the ability to upload executable code to a web-accessible directory and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.
References
- Adobe Security bulletin: Security updates available for ColdFusion | APSB19-14 (Adobe, 3/1/19)
- CVE-2019-7816
- Adobe Patches ColdFusion Vulnerability Exploited in the Wild (Security Week, 3/1/19)
- Adobe Patches Critical ColdFusion Vulnerability With Active Exploit (Threat Post, 3/1/19)