Adobe has launched out-of-band safety updates to deal with a important vulnerability impacting ColdFusion variations 2021, 2016, and 2018.
In the present day’s emergency updates patch an arbitrary code execution safety flaw attributable to an Improper Input Validation software program vulnerability.
Adobe launched ColdFusion 2016 Replace 17, ColdFusion 2018 Replace 11, and ColdFusion 2021 Replace 1 to patch the vulnerability and stated that every one earlier variations earlier than these patches are weak to assaults.
Updates to newest JDK additionally required to safe servers
Within the security bulletin printed at this time, Adobe tagged the vulnerability tracked as CVE-2021-21087 with “precedence ranking 2,” assigned to flaws with no recognized exploits affecting merchandise which have traditionally been at elevated threat.
Adobe recommends directors set up the safety updates as quickly as potential and apply the safety configuration settings outlined within the ColdFusion 2021, ColdFusion 2018, and ColdFusion 2016 lockdown guides.
“Adobe recommends updating your ColdFusion JDK/JRE to the most recent model of the LTS releases for 1.8 and JDK 11,” the corporate additionally stated.
“Making use of the ColdFusion replace and not using a corresponding JDK replace will NOT safe the server.”
Extra particulars on how one can apply these updates can be found within the related Tech Notes linked within the desk embedded under.
|Product||Weak variations||Up to date model||Platform||Availability|
|ColdFusion 2016||Replace 16 and earlier model||Replace 17||All||Tech note|
|ColdFusion 2018||Replace 10 and earlier variations||Replace 11||All||Tech note|
|ColdFusion 2021||Model 2021.0.0.323925||Replace 1||All||Tech note|
The US Nationwide Safety Company (NSA) has listed CVE-2018-4939 (an Adobe ColdFusion 14 bug) as one of many top 25 vulnerabilities utilized by Chinese language state-sponsored or financially-motivated hackers to use public-facing servers.
For example, in November 2018, China-backed hackers took over ColdFusion servers by deploying China Chopper backdoors after exploiting a bug tracked as CVE-2018-15961 and patched two months earlier than.
Chinese language-speaking cybercrime group Rocke was additionally noticed earlier that yr whereas dropping cryptomining malware on Web-exposed by exploiting Adobe ColdFusion servers unpatched in opposition to comparable bugs.
One other ColdFusion vulnerability, CVE-2018-15961, was included by the NSA a the record of most exploited bugs for deploying web shells on weak servers.