Critical Vulnerability in Adobe ColdFusion

ColdFusion 2016

If your organisation has servers running Adobe ColdFusion and they haven’t been updated recently then now would be a good time to update them. This is particularly important if you’re using a feature called “Flex Integration”.

Adobe’s latest ColdFusion security update fixes a critical vulnerability identified by Cognitous director Nicky Bloor. The vulnerability could enable an attacker to take complete control of affected servers. A second critical vulnerability was fixed in this security update that could enable an attacker to steal files from affected servers (reported by Matthias Kaiser of Code White GmbH).

In addition to applying the latest security update, users should update Java on the affected servers. Be sure to also review Adobe’s lock down guides for guidance on further security improvements.

Technical details of the critical vulnerability discovered by Nicky Bloor can be found on his blog: Another ColdFusion RCE – CVE-2018-4939.

Cognitous can help with all aspects of securing your IT systems, get in touch to see how we can help you.