We want to increase awareness about security updates and thus are re-posting the security update details from the Adobe ColdFusion Security bulletin.
Release date: Mar 14, 2023
Vulnerability Details: Deserialization of Untrusted Data (CWE-502), Improper Access Control (CWE-284), Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22)
Version after update: ColdFusion 2021 – Update 6 & ColdFusion 2018 – Update 16
Affected Versions: ColdFusion 2021 – Update 5 and earlier versions, ColdFusion 2018 – Update 15 and earlier versions
Addresses: vulnerabilities that are mentioned in the security bulletin APSB23-25
Release date: Oct 11, 2022
Vulnerability Details: Stack-based Buffer Overflow, Heap-based Buffer Overflow, Stack-based Buffer Overflow, Heap-based Buffer Overflow, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Version after update: ColdFusion 2021 – Update 5 & ColdFusion 2018 – Update 15
Affected Versions: ColdFusion 2021 – Update 4, ColdFusion 2018 – Update 14 and earlier versions.
Addresses: vulnerabilities that are mentioned in the security bulletin APSB22-44
Release date: May 10, 2022
Vulnerability Details: Cross-site Scripting (Reflected XSS) (CWE-79)
Version after update: ColdFusion 2021 – Update 4 & ColdFusion 2018 – Update 14
Affected Versions: ColdFusion 2021 – Update 3 & ColdFusion 2018 – Update 13
Addresses: vulnerabilities that are mentioned in the security bulletin APSB22-22.
This release also contains the following library upgrades:
- Tomcat 9.0.60
- jQuery 3.6.0
- jQuery UI 1.13.1
- Log4j 2.17.2
Release date: March 17, 2020
Vulnerability identifier: APSB20-16
Version after update: ColdFusion 2016 – Update 14 & ColdFusion 2018 – Update 8
Affected Versions: ColdFusion 2016 – Update 13 and earlier version & ColdFusion 2018 – Update 7 and earlier versions
Addresses: A configuration issue with AJP Protocol was fixed in this update which affects ColdFusion 2016 and 2018 along with a few JEE application servers, which use AJP such as Tomcat, JBoss, and Wildfly.
Release date: July 9, 2013
Vulnerability identifier: APSB13-19
Priority: See table below
CVE number: CVE-2013-3349, CVE-2013-3350
Platform: All
SUMMARY
Adobe has released a security hotfix for ColdFusion 10 for Windows, Macintosh and Linux. This hotfix addresses a vulnerability (CVE-2013-3350) that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets.
Adobe has released a security hotfix for ColdFusion versions 9.0, 9.0.1 and 9.0.2 on JRun. This hotfix addresses a vulnerability (CVE-2013-3349) that could be exploited to cause a denial of service condition on a system running ColdFusion 9.0, 9.0.1 and 9.0.2 on JRun. ColdFusion 10 customers are not affected by CVE-2013-3349.
Adobe recommends users update their product installation using the instructions provided in the “Solution” section below.
AFFECTED SOFTWARE VERSIONS
ColdFusion 10 for Windows, Macintosh and Linux
ColdFusion versions 9.0.2, 9.0.1 and 9.0 on JRun
SOLUTION
Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote located here: http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-19.html
Customers should also apply the security configuration settings as outlined on the ColdFusion Security page as well as review the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.
PRIORITY AND SEVERITY RATINGS
Adobe categorizes these hotfixes with the following priority ratings and recommends users update their installation to the newest version:
ColdFusion Version | Hotfix/Patch Version | Platform | Priority rating |
---|---|---|---|
10 | Update 11 | All | 1 |
9.0.2 | jrun-hotfix-3329722.jar | JRun | 2 |
9.0.1 | jrun-hotfix-3329722.jar | JRun | 2 |
9.0 | jrun-hotfix-3329722.jar | JRun | 2 |
The ColdFusion 10 hotfix addresses a critical vulnerability. The ColdFusion hotfix for versions 9.0, 9.0.1 and 9.0.2 on JRun addresses an important vulnerability.
DETAILS
Adobe has released a security hotfix for ColdFusion 10 for Windows, Macintosh and Linux. This hotfix addresses a vulnerability (CVE-2013-3350) that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets.
Adobe has released a security hotfix for ColdFusion versions 9.0, 9.0.1 and 9.0.2 on JRun. This hotfix addresses a vulnerability (CVE-2013-3349) that could be exploited to cause a denial of service condition on a system running ColdFusion 9.0, 9.0.1 and 9.0.2 on JRun. ColdFusion 10 customers are not affected by CVE-2013-3349.
Adobe recommends users update their product installation using the instructions provided in the “Solution” section above
The hotfix for ColdFusion 10 for Windows, Macintosh and Linux resolves a vulnerability that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets (CVE-2013-3350).
The hotfix for ColdFusion versions 9.0, 9.0.1 and 9.0.2 on JRun resolves a vulnerability that could be exploited by a remote user to cause a denial of service condition (CVE-2013-3349).
Reference(s): Adobe Security Bulletin