Security Experts:

Adobe Warns of New Critical Vulnerability in ColdFusion

Adobe on Wednesday night, issued a Security Advisory (APSA13-03) for a newly disclosed critical security vulnerability in Adobe ColdFusion.

The critical vulnerability (CVE-2013-3336) affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and UNIX, Adobe said, and could allow an attacker to remotely access files stored on the server.

There have been reports that an exploit for the vulnerability is publicly available.

Some customers may always have protections in place, as Adobe said ColdFusion users who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories are already safe from the issue.

For ColdFusion customers that have not applied the above steps, Adobe recommends implementing the following configuration settings:

Restrict public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories by following the hardening guidance in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.

Adobe is in the process of creating a fix for the issue and says a hotfix will be available on Tuesday, May 14, 2013.

Symantec’s Marcin Siedlarz was credited for reporting the issue to Adobe.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.