Update now! Critical Adobe ColdFusion flaw now being exploited

Adobe has issued an urgent out-of-band patch for a critical flaw in the ColdFusion web development platform it says is being exploited in the wild.

The company’s APSB19-14 bulletin is light on detail but describes the issue as a “file upload restriction bypass” affecting ColdFusion 2018 update 2 and earlier, 2016 update 9 and earlier, and 17 and earlier:

This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request.  Restricting requests to directories where uploaded files are stored will mitigate this attack.

Who’s affected?

According to a blog by one of those credited by Adobe for reporting the issue, Charlie Arehart, updating should be a particular concern to ColdFusion servers that allow file uploads to a web-accessible folder, have any code that does the same in ColdFusion Markup Language (CFML), and have not disallowed files with server-executable extensions.

Wrote Arehart:

I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don’t want this to happen to you.

Cybercriminals have a history of developing exploits for the platform, aware perhaps that not all admins get around to patching it as quickly as they should.

A salient example was last September’s update fixing critical flaws, APSB18-33 (CVE-2018-15061) which an APT group reportedly targeted with an exploit made possible by weak patching.

In 2014, another vulnerability was exploited to hack websites belonging to car company Citroen.

What to do

Identified as CVE-2019-7816, the solution is to update to ColdFusion 2018 update 3, 2016 Update 10, or 11 Update 18 through the product’s server update admin feature.

Adobe recently updated ColdFusion on 12 February and should do so again on 12 March as part of Patch Tuesday if any new fixes are in the pipeline.