Adobe addresses a critical vulnerability in ColdFusion product

Adobe has released security updates to address a critical vulnerability in the ColdFusion product (versions 2021, 2016, and 2018) that could lead to arbitrary code execution.

Adobe has released security patches to address a critical vulnerability in Adobe ColdFusion that could be exploited by attackers to execute arbitrary code on vulnerable systems. The issue, tracked as CVE-2021-21087 is caused by improper input validation.

“Adobe has released security updates for ColdFusion versions 2021, 2016 and 2018. These updates resolve a critical  vulnerability that could lead to arbitrary code execution. ” reads the advisory published by the software giant.

The flaw affects ColdFusion 2016 Update 16 and earlier version, all ColdFusion 2018 Update 10, and earlier versions All ColdFusion 2021 Version 2021.0.0.323925.

Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11, it pointed out that installing the ColdFusion update without a corresponding JDK update will NOT secure the server.  

The software giant also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

• ColdFusion 2018 Auto-Lockdown guide
• ColdFusion 2016 Lockdown Guide
• ColdFusion 2021 Lockdown Guide

The vulnerability was reported by Josh Lane, the company confirmed that it is now aware of attacks in the wild exploiting the CVE-2021-20187 vulnerability.  

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Coldfusion)

[adrotate banner=”5″]

[adrotate banner=”13″]