Adobe Patches ColdFusion Vulnerability
Monday, August 31, 2015 @ 04:08 PM gHale
Adobe fixed a vulnerability in its ColdFusion development platform.
The fix includes an updated version of BlazeDS, a server-based Java remoting and web messaging technology.
The updated BlazeDS falls in line with a report earlier this month where Adobe said BlazeDS had an XML External Entity (XXE) vulnerability that can result in information disclosure.
The vulnerability affects ColdFusion 10 update 16 and earlier versions, and ColdFusion 11 update 5 and earlier versions.
ColdFusion release 10 update 17, and ColdFusion 11 update 6 addresses the issue.
Adobe has provided detailed instructions on how to apply the fix for ColdFusion 10 and 11. The company also advises developers to apply the security configuration settings described on the ColdFusion Security page, and review the lockdown guides for the platform.
Adobe rated the vulnerability as “important” and assigned a priority rating of 2. This indicates the security hole can end up exploited to compromise data security, and it affects a product that has historically been at elevated risk. Adobe said it is not aware of any exploits targeting this flaw.
The flaw first came to Adobe by Matthias Kaiser of Code White.