We want to spread the word and thus are re-posting the security update details from Adobe ColdFusion Security bulletin.

ColdFusion10 Security Update

Release date: July 9, 2013

Vulnerability identifier: APSB13-19

Priority: See table below

CVE number: CVE-2013-3349, CVE-2013-3350

Platform: All

SUMMARY

Adobe has released a security hotfix for ColdFusion 10 for Windows, Macintosh and Linux.  This hotfix addresses a vulnerability (CVE-2013-3350) that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets.

Adobe has released a security hotfix for ColdFusion versions 9.0, 9.0.1 and 9.0.2 on JRun.  This hotfix addresses a vulnerability (CVE-2013-3349) that could be exploited to cause a denial of service condition on a system running ColdFusion 9.0, 9.0.1 and 9.0.2 on JRun.  ColdFusion 10 customers are not affected by CVE-2013-3349.

Adobe recommends users update their product installation using the instructions provided in the “Solution” section below.

AFFECTED SOFTWARE VERSIONS

ColdFusion 10 for Windows, Macintosh and Linux
ColdFusion versions 9.0.2, 9.0.1 and 9.0 on JRun

SOLUTION

Adobe recommends ColdFusion customers update their installation using the instructions provided in the technote located here: http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-19.html

Customers should also apply the security configuration settings as outlined on the ColdFusion Security page as well as review the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.

PRIORITY AND SEVERITY RATINGS

Adobe categorizes these hotfixes with the following priority ratings and recommends users update their installation to the newest version:

ColdFusion VersionHotfix/Patch VersionPlatformPriority rating
10Update 11All1
9.0.2jrun-hotfix-3329722.jarJRun2
9.0.1jrun-hotfix-3329722.jarJRun2
9.0jrun-hotfix-3329722.jarJRun2

The ColdFusion 10 hotfix addresses a critical vulnerability. The ColdFusion hotfix for versions 9.0, 9.0.1 and 9.0.2 on JRun addresses an important vulnerability.

DETAILS

Adobe has released a security hotfix for ColdFusion 10 for Windows, Macintosh and Linux.  This hotfix addresses a vulnerability (CVE-2013-3350) that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets.

Adobe has released a security hotfix for ColdFusion versions 9.0, 9.0.1 and 9.0.2 on JRun.  This hotfix addresses a vulnerability (CVE-2013-3349) that could be exploited to cause a denial of service condition on a system running ColdFusion 9.0, 9.0.1 and 9.0.2 on JRun.  ColdFusion 10 customers are not affected by CVE-2013-3349.

Adobe recommends users update their product installation using the instructions provided in the “Solution” section above

The hotfix for ColdFusion 10 for Windows, Macintosh and Linux resolves a vulnerability that could permit an attacker to invoke public methods on ColdFusion Components (CFC) using WebSockets (CVE-2013-3350).

The hotfix for ColdFusion versions 9.0, 9.0.1 and 9.0.2 on JRun resolves a vulnerability that could be exploited by a remote user to cause a denial of service condition (CVE-2013-3349).

Reference(s): Adobe Security Bulletin