Latest Adobe Security Updates for ColdFusion

We want to increase awareness about security updates and thus are re-posting the security update details from the Adobe ColdFusion Security bulletin.

Adobe ColdFusion Security Updates
Release date: November 14, 2023

Vulnerability Details: Deserialization of Untrusted Data (CWE-502), Improper Access Control (CWE-284)
Version after update: ColdFusion 2023 Update 6, ColdFusion 2021 – Update 12
Affected Versions: ColdFusion 2023 – Update 5, ColdFusion 2021 – Update 11 and earlier versions
Addresses: vulnerabilities that are mentioned in the security bulletin APSB23-52


Release date: July 19, 2023

Vulnerability Details: Deserialization of Untrusted Data (CWE-502), Improper Access Control (CWE-284)
Version after update: ColdFusion 2023 Update 3, ColdFusion 2021 – Update 9 & ColdFusion 2018 – Update 19
Affected Versions: ColdFusion 2023 – Update 2, ColdFusion 2021 – Update 8 and earlier versions, ColdFusion 2018 – Update 18 and earlier versions
Addresses: vulnerabilities that are mentioned in the security bulletin APSB23-47 


Release date: July 14, 2023

Vulnerability Details: Deserialization of Untrusted Data (CWE-502)
Version after update: ColdFusion 2023 Update 2, ColdFusion 2021 – Update 8 & ColdFusion 2018 – Update 18
Affected Versions: ColdFusion 2023 – Update 1, ColdFusion 2021 – Update 7 and earlier versions, ColdFusion 2018 – Update 17 and earlier versions
Addresses: vulnerabilities that are mentioned in the security bulletin APSB23-41 


Release date: July 11, 2023

Vulnerability Details: Deserialization of Untrusted Data / Arbitrary Code Execution(CVE-2023-29300), Improper Access Control / Security feature bypass(CVE-2023-29298), & Improper Restriction of Excessive Authentication Attempts(CVE-2023-29301)
Version after update: ColdFusion 2023 Update 1, ColdFusion 2021 – Update 7 & ColdFusion 2018 – Update 17
Affected Versions: ColdFusion 2023, ColdFusion 2021 – Update 6 and earlier versions, ColdFusion 2018 – Update 16 and earlier versions
Addresses: vulnerabilities that are mentioned in the security bulletin APSB23-40 


Release date: Mar 14, 2023

Vulnerability Details: Deserialization of Untrusted Data (CWE-502), Improper Access Control (CWE-284), Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22)
Version after update: ColdFusion 2021 – Update 6 & ColdFusion 2018 – Update 16
Affected Versions: ColdFusion 2021 – Update 5 and earlier versions, ColdFusion 2018 – Update 15 and earlier versions
Addresses: vulnerabilities that are mentioned in the security bulletin APSB23-25 


Release date: Oct 11, 2022

Vulnerability Details: Stack-based Buffer Overflow, Heap-based Buffer Overflow,  Stack-based Buffer Overflow, Heap-based Buffer Overflow, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Version after update: ColdFusion 2021 – Update 5 & ColdFusion 2018 – Update 15
Affected Versions: ColdFusion 2021 – Update 4, ColdFusion 2018 – Update 14 and earlier versions.
Addresses: vulnerabilities that are mentioned in the security bulletin APSB22-44 


Release date: May 10, 2022

Vulnerability Details: Cross-site Scripting (Reflected XSS) (CWE-79)
Version after update: ColdFusion 2021 – Update 4 & ColdFusion 2018 – Update 14
Affected Versions: ColdFusion 2021 – Update 3 & ColdFusion 2018 – Update 13
Addresses: vulnerabilities that are mentioned in the security bulletin APSB22-22.

This release also contains the following library upgrades:

  • Tomcat 9.0.60
  • jQuery 3.6.0
  • jQuery UI 1.13.1
  • Log4j 2.17.2

Release date: March 17, 2020

Vulnerability identifier: APSB20-16

Version after update: ColdFusion 2016 – Update 14 & ColdFusion 2018 – Update 8
Affected Versions: ColdFusion 2016 – Update 13 and earlier version & ColdFusion 2018 – Update 7 and earlier versions
Addresses: A configuration issue with AJP Protocol was fixed in this update which affects ColdFusion 2016 and 2018 along with a few JEE application servers, which use AJP such as Tomcat, JBoss, and Wildfly.


Release date: July 9, 2013

Vulnerability identifier: APSB13-19
Priority: See table below
CVE number: CVE-2013-3349, CVE-2013-3350
Platform: All

SUMMARY

Adobe has released a security hotfix for ColdFusion 10 for Windows, Macintosh and Linux.  This hotfix addresses a vulnerability (CVE-2013-3350) that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets.

Adobe has released a security hotfix for ColdFusion versions 9.0, 9.0.1 and 9.0.2 on JRun.  This hotfix addresses a vulnerability (CVE-2013-3349) that could be exploited to cause a denial of service condition on a system running ColdFusion 9.0, 9.0.1 and 9.0.2 on JRun.  ColdFusion 10 customers are not affected by CVE-2013-3349.

Adobe recommends users update their product installation using the instructions provided in the “Solution” section below.

AFFECTED SOFTWARE VERSIONS

ColdFusion 10 for Windows, Macintosh and Linux
ColdFusion versions 9.0.2, 9.0.1 and 9.0 on JRun

SOLUTION

Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote located here: http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-19.html

Customers should also apply the security configuration settings as outlined on the ColdFusion Security page as well as review the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.

PRIORITY AND SEVERITY RATINGS

Adobe categorizes these hotfixes with the following priority ratings and recommends users update their installation to the newest version:

ColdFusion Version Hotfix/Patch Version Platform Priority rating
10 Update 11 All 1
9.0.2 jrun-hotfix-3329722.jar JRun 2
9.0.1 jrun-hotfix-3329722.jar JRun 2
9.0 jrun-hotfix-3329722.jar JRun 2

The ColdFusion 10 hotfix addresses a critical vulnerability. The ColdFusion hotfix for versions 9.0, 9.0.1 and 9.0.2 on JRun addresses an important vulnerability.

DETAILS

Adobe has released a security hotfix for ColdFusion 10 for Windows, Macintosh and Linux.  This hotfix addresses a vulnerability (CVE-2013-3350) that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets.

Adobe has released a security hotfix for ColdFusion versions 9.0, 9.0.1 and 9.0.2 on JRun.  This hotfix addresses a vulnerability (CVE-2013-3349) that could be exploited to cause a denial of service condition on a system running ColdFusion 9.0, 9.0.1 and 9.0.2 on JRun.  ColdFusion 10 customers are not affected by CVE-2013-3349.

Adobe recommends users update their product installation using the instructions provided in the “Solution” section above

The hotfix for ColdFusion 10 for Windows, Macintosh and Linux resolves a vulnerability that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets (CVE-2013-3350).

The hotfix for ColdFusion versions 9.0, 9.0.1 and 9.0.2 on JRun resolves a vulnerability that could be exploited by a remote user to cause a denial of service condition (CVE-2013-3349).

Reference(s): Adobe Security Bulletin

Conclusion

In conclusion, staying vigilant with the latest Adobe Security Hotfixes and Updates is crucial for maintaining the robust security posture of ColdFusion environments. Adobe’s commitment to addressing vulnerabilities underscores the importance of prompt application of these patches to mitigate potential risks. Regularly monitoring and implementing the latest security updates ensures that ColdFusion applications remain resilient against evolving threats.

As security is a dynamic concern, ongoing awareness and proactive engagement with Adobe’s releases are essential for safeguarding sensitive data and maintaining the integrity of ColdFusion deployments. In summary, a proactive approach to adopting the latest security hotfixes is paramount to fortifying ColdFusion against potential vulnerabilities.