Adobe ColdFusion Unauthenticated RCE

Vendor:Adobe
Product:ColdFusion
Affected Version(s):ColdFusion 9 (all versions), ColdFusion 11 update 13 and below, ColdFusion 2016 update 5 and below
Severity:Critical
Reference:CVE-2018-4939
Researcher:Nicky Bloor (@NickstaDB)
Links:

Description

When Adobe ColdFusion’s Flex integration is enabled and configured to use Java RMI, a network service is exposed that allows arbitrary Java objects to be deserialized. By supplying a specially crafted object to this service an unauthenticated attacker could trigger the execution of arbitrary code on the server.

Remediation

Correct remediation of this vulnerability involves updating both Adobe ColdFusion and the Java runtime environment that it is configured to use. ColdFusion should be updated to a version greater than 11 update 12 or greater than 2016 update 4.

Adobe ColdFusion Unauthenticated RCE

Vendor:Adobe
Product:ColdFusion
Affected Version(s):ColdFusion 9 (all versions), ColdFusion 11 update 12 and below, ColdFusion 2016 update 4 and below
Severity:Critical
Reference:CVE-2017-11284
Researcher:Nicky Bloor (@NickstaDB)
Links:

Description

Affected versions of Adobe ColdFusion were bundled with an outdated Java runtime environment. When Adobe ColdFusion’s Flex integration was enabled and configured to use Java RMI, arbitrary objects could be bound to the RMI registry service. A specially crafted object could enable an unauthenticated attacker to trigger the execution of arbitrary code on the server.

Remediation

Correct remediation of this vulnerability involves updating both Adobe ColdFusion and the Java runtime environment that it is configured to use. ColdFusion should be updated to a version greater than 11 update 12 or greater than 2016 update 4.

Adobe ColdFusion Unauthenticated RCE

Vendor:Adobe
Product:ColdFusion
Affected Version(s):ColdFusion 9 (all versions), ColdFusion 11 update 12 and below, ColdFusion 2016 update 4 and below
Severity:Critical
Reference:CVE-2017-11283
Researcher:Nicky Bloor (@NickstaDB)
Links:

Description

When Adobe ColdFusion’s Flex integration is enabled and configured to use Java RMI, a network service is exposed that allows arbitrary Java objects to be deserialized. By supplying a specially crafted object to this service an unauthenticated attacker could trigger the execution of arbitrary code on the server.

Remediation

Correct remediation of this vulnerability involves updating both Adobe ColdFusion and the Java runtime environment that it is configured to use. ColdFusion should be updated to a version greater than 11 update 12 or greater than 2016 update 4.