Adobe has ColdFusion hotfix, could contain remote execution flaw

Adobe has ColdFusion hotfix, could contain remote execution flaw

Summary: Adobe has issued a hotfix for a vulnerability that affects ColdFusion 10 and prior.

SHARE:
TOPICS: Security
3

Adobe has released a hotfix for ColdFusion for Windows, Macs, and Unix-based machines.

The fix addresses an issue in ColdFusion 10, 9.0.2, 9.0.1, 9.0, 8.0.1, and 8.0 that could result in a denial-of-service (DoS) condition. The fix is not available in a patch, meaning that administrators will need to follow Adobe's set of instructions for their specific version of ColdFusion and mitigate against the vulnerability manually.

The hotfix has been rated as important and has a priority rating of 2, so administrators need not apply the fix immediately but should do so within 30 days.

However, according to Security Focus' listing, the vulnerability may also result in arbitrary code execution, although this claim has not been confirmed. Security Focus is also not aware of any exploits in the wild against the vulnerability.

Adobe has credited UK ColdFusion and PHP web developer Dave Boyer for discovering the vulnerability.

Melbourne IT was recently breached via an older ColdFusion vulnerability that allowed attackers to steal data belonging to Australian internet service provider (ISP) AAPT. Melbourne IT is already aware of the issue, and has scheduled the hotfix to be deployed.

Topic: Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Another example Adobe's excellent security quality

    Funny ... it is not Thursday ... for a change.

    Seriously, is any Adobe product secure ... or is Adobe on the take from malware creators?
    wackoae
    • that is almost funny ADOBE & GOOGLE ARE ONE!

      GOOGLE USED "COLD FUSION" on my device with download of google+! ThE. App is to monitor all your actions on devIce and control what you can access, including personal phone calls! It tracks tour activitt 24/7! No outgoing contact in email,texts or phone call! At times I had to fight to get to main screenfor help! I was stopped from getting to otger screen even when I pushed call button! My conacts info was invaded! That was my personal family! Trust adobe? Not me!!
      Njersey
  • There is indeed "patch", at least for CF 10

    In his news item above, the author asserts that "The fix is not available in a patch, meaning that administrators will need to follow Adobe's set of instructions for their specific version of ColdFusion and mitigate against the vulnerability manually."

    That is true for releases prior to ColdFusion 10, but in ColdFusion 10, an automated hotfix (or "patch") management system has been added, so that it is a simple one-click operation to apply hotfixes now, both security and regular hotfixes.

    I appreciate it may simply be that the author was not aware of the change in CF10. I'm just passing this along for his benefit and that of his readers. Thanks for sharing the news of the available security update.
    carehart