Adobe has issued an urgent out-of-band patch for a critical flaw in the ColdFusion web development platform it says is being exploited in the wild.
The company’s APSB19-14 bulletin is light on detail but describes the issue as a “file upload restriction bypass” affecting ColdFusion 2018 update 2 and earlier, 2016 update 9 and earlier, and 17 and earlier:
This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.
According to a blog by one of those credited by Adobe for reporting the issue, Charlie Arehart, updating should be a particular concern to ColdFusion servers that allow file uploads to a web-accessible folder, have any code that does the same in ColdFusion Markup Language (CFML), and have not disallowed files with server-executable extensions.
I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don’t want this to happen to you.
Cybercriminals have a history of developing exploits for the platform, aware perhaps that not all admins get around to patching it as quickly as they should.
In 2014, another vulnerability was exploited to hack websites belonging to car company Citroen.
What to do
Adobe recently updated ColdFusion on 12 February and should do so again on 12 March as part of Patch Tuesday if any new fixes are in the pipeline.