Security Experts:

Adobe Releases Hotfix to Address Critical Vulnerabilities in ColdFusion

Adobe on Tuesday released a hotfix to address four vulnerabilities affecting ColdFusion running on Windows, Mac OS and UNIX platforms.

On Jan. 5, Adobe issued a security advisory warning customers that certain vulnerabilities in ColdFusion were being actively exploited in attacks.

The security issues impact ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Mac OS X and UNIX, and if exploited, could let an attacker remotely bypass authentication controls, access to restricted directories, leak data, or take control of a compromised server.

The four vulnerabilities addressed in today’s security update include: 

CVE-2013-0625 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.

CVE-2013-0629 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user access to restricted directories.

CVE-2013-0631 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could result in information disclosure from a compromised server

CVE-2013-0632 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.

Adobe said previously that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled or have no password set.

Adobe categorizes this hotfix as a Priority 1 update, as it resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. For that reason, Adobe recommends users update their installation to the newest version as soon as possible.

Instructions for ColdFusion customers on how to update their software along with additional details can be found here