Adobe Fixes Critical ColdFusion Flaw in Emergency Update

Cyber Security News

Attackers can leverage the critical Adobe ColdFusion flaw to launch arbitrary code execution attacks.

In an unscheduled security update, Adobe is warning of a critical security flaw in its ColdFusion platform, used for building web applications.

The security alert comes two weeks after Adobe’s regularly-scheduled updates. During these updates, the tech company issued patches for a slew of critical security vulnerabilities, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.

The latest flaw (CVE-2021-21087) exists in ColdFusion versions 2016 (Update 16 and earlier), 2018 (Update 10 and earlier) and 2021 (Version 2021.0.0.323925), and could lead to arbitrary code execution.

“Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” according to Adobe on Monday.

The vulnerability stems from improper input validation, which is a type of issue (previously plaguing other Adobe products) that occurs when the affected product does not validate input. This can affect the control flow or data flow of a program, and allow for an attacker to launch a slew of malicious attacks. Further information on the flaw – including where in ColdFusion it exists, and how difficult it is to exploit, were not addressed; Threatpost has reached out to Adobe for further comment.

The flaw has been corrected in the following versions of ColdFusion: ColdFusion 2016 (update 17), ColdFusion 2018 (update 11) and ColdFusion 2021 (update 1). See below for the updated versions.

Source: Adobe

Adobe said the security update is a “priority 2,” meaning that it resolves vulnerabilities “in a product that has historically been at elevated risk” – but for which there are currently no known exploits.

“Based on previous experience, we do not anticipate exploits are imminent,” for “priority 2” updates, said Adobe. However, “as a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).”

Adobe credited Josh Lane with discovering and reporting the flaw.

ColdFusion, a web-programming language providing a platform for building and deploying web and mobile applications, has previously been privy to various security flaws.

In April, Adobe released patches for “important”-severity vulnerabilities in ColdFusion, which if exploited, could enable attackers to view sensitive data, gain escalated privileges, and launch denial-of-service attacks. And in 2019, Adobe issued unscheduled security updates to fix two critical flaws in its ColdFusion product. The critical vulnerabilities could have enabled an attacker to either execute arbitrary code or bypass access control on impacted systems.

Register for this LIVE Event: 0-Day Disclosures: Good, Bad & Ugly: On Mar. 24 at 2 p.m. ET, Threatpost tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what’s on the line for all businesses when it comes to the disclosure process. Register NOW for this LIVE webinar on Wed., Mar. 24.