Emergency Patch Released for ColdFusion Vulnerability. Adobe developers decided not to wait for the March “Tuesday of updates” (this month falls on March 12) and released an unplanned patch for a critical issue in ColdFusion.
The vulnerability received an identifier CVE-2019-7816 and status critical. The bug affects all currently supported platform versions (i.e. ColdFusion 11, 2016 and 2018), as well as older versions.
According to the official security bulletin, the vulnerability is related to unauthorized file downloads. An attacker with appropriate access can download executable code to the server and execute it in the context of ColdFusion via an HTTP request. Developers write that instead of installing a patch (if for some reason it is not possible), you can also limit requests to the directories where the downloaded files are stored.
- Vulnerability in WinRAR has Existed for 19 Years and Threatens 500 Million Users
- Emergency Patch for Internet Explorer Zero-Day Vulnerability
- Singapore Claims Southeast Asia Falls Short on Cybersecurity Pact with Russia
It is reported that the vulnerability was discovered not by information security specialists, but ordinary ColdFusion developers. One of them, Charlie Arehart (Charlie Arehart), told the publication Bleeping Computer that he noticed a problem when one of his clients was attacked with it. Arehart did not go into details, talking about the attacks or the bug itself, so it is not known exactly how the hackers exploit the bug.
Let me remind you that last fall ColdFusion servers were already under attack due to a similar problem, also related to unauthorized file uploading. Then the attackers used the vulnerability to download to vulnerable China Chopper backdoor machines.