ColdFusion Flaw Fix Coming

Friday, May 10, 2013 @ 04:05 PM gHale


Adobe is working on a patch for a critical vulnerability in its ColdFusion Web application server that bad guys are using in attacks right now.

The vulnerability affects several versions of ColdFusion running on Windows, Unix and OS X.

RELATED STORIES
PDF Hole Used in APT Attacks
Reader PDF Tracking Bug
Adobe Patches Platforms
Adobe Fixes 4 Flash Flaws

The flaw, which Adobe plans to patch on May 14, can fall into the hands of a remote attacker to retrieve files from affected servers. There is a public exploit available for the vulnerability, making the patch a high priority for enterprises running ColdFusion.

“There are reports that an exploit for this vulnerability is publicly available. ColdFusion customers who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories (as outlined in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide) are already mitigated against this issue,” Adobe said in its advisory.

The company recommends customers running vulnerable versions of ColdFusion, which include 10, 9, 9.02 and 9.01, follow the recommendations in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide to help install mitigations that will prevent exploitation of this vulnerability.



Leave a Reply

You must be logged in to post a comment.