Adobe has ColdFusion hotfix, could contain remote execution flaw

Summary:Adobe has issued a hotfix for a vulnerability that affects ColdFusion 10 and prior.

Adobe has released a hotfix for ColdFusion for Windows, Macs, and Unix-based machines.

The fix addresses an issue in ColdFusion 10, 9.0.2, 9.0.1, 9.0, 8.0.1, and 8.0 that could result in a denial-of-service (DoS) condition. The fix is not available in a patch, meaning that administrators will need to follow Adobe's set of instructions for their specific version of ColdFusion and mitigate against the vulnerability manually.

The hotfix has been rated as important and has a priority rating of 2, so administrators need not apply the fix immediately but should do so within 30 days.

However, according to Security Focus' listing, the vulnerability may also result in arbitrary code execution, although this claim has not been confirmed. Security Focus is also not aware of any exploits in the wild against the vulnerability.

Adobe has credited UK ColdFusion and PHP web developer Dave Boyer for discovering the vulnerability.

Melbourne IT was recently breached via an older ColdFusion vulnerability that allowed attackers to steal data belonging to Australian internet service provider (ISP) AAPT. Melbourne IT is already aware of the issue, and has scheduled the hotfix to be deployed.

Topics: Security


A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.