Adobe closes critical ColdFusion vulnerabilities
Adobe has released a hotfix for the critical security vulnerabilities in its ColdFusion application platform that it warned of last week. Attackers had already been actively abusing the holes in versions 10, 9.0.2, 9.0.1 and 9 of the web platform on Windows, Mac OS X and UNIX systems. The holes allowed the attackers to bypass authentication controls, access protected directories and potentially allowed them to take control of a server.
In all, four vulnerabilities have been closed in ColdFusion 9.x (CVE-2013-0625 authentication bypass, CVE-2013-0629 directory traversal, CVE-2013-0631 information disclosure and CVE-2013-0632 authentication bypass). Two of the vulnerabilities (CVE-2013-0625 and CVE-2013-0632) also existed inColdFusion 10 and are corrected by the hotfix. Adobe says applying the fix should be done as soon as possible. Instructions for applying the hotfix are available and will, by default, disable the RDS service.