Adobe warns of unpatched vulnerabilities in ColdFusion
Adobe is warning users of its ColdFusion application server that there are three vulnerabilities which are already being actively exploited for attacks. Versions 9.0, 9.0.1, 9.0.2 and 10 on all supported operating systems are vulnerable. There is no patch yet, but Adobe is suggesting some steps to mitigate the issues.
One of the vulnerabilities can allow an attacker to remotely bypass authentication, potentially allowing that attacker to take control of the affected server. The second vulnerability permits unauthorised users to view the contents of restricted directories. The final issue affects already compromised servers and could result in further information disclosure.
According to Adobe, the first two vulnerabilities can only be exploited if ColdFusion's password protection is not active, or is active but no password has been set. The company says it is working on a patch and plans to release it on 15 January.
In the interim, it offers instructions how to ensure a ColdFusion server is not taken over by malicious parties. Adobe recommends that a username and password should be set on RDS (Remote Development Services) and that these should be different from those on the administrator account. Once the username and password are set, Adobe then says users should disable RDS. The company also suggests disabling external access to
/CFIDE/componentutils and removing any unknown or unused ColdFusion components from the
/CFIDE and webroot directories.