[German]Adobe ColdFusion users should update to the latest version immediately. Adobe has closed a critical vulnerability that is already being exploited with a security update.
Advertising
The emergency update that addresses a critical vulnerability within the ColdFusion web app development platform has been released on March 1, 2019.
Updated: "Urgent #ColdFusion security update released March 1 2019, for CF11/2016/2018, Part 1" https://t.co/hmBVFOeZxY (more details)
— Charlie Arehart (@carehart) 2. März 2019
The vulnerability can lead to the arbitrary code execution and is already exploited. The security issue allows an attacker to bypass restrictions on uploading files. To take advantage of this, the attacker must be able to upload executable code to a directory of files on a web server. The code can then be executed via an HTTP request, says Adobe in its security bulletin APSB 19-14. All versions of ColdFusion that do not have the latest updates are affected by the vulnerability (CVE-2019-7816), regardless of the platform.
Charlie Arehart, an independent consultant responsible for reporting the vulnerability, told Bleeping Computer that he discovered the bug when he was deployed against one of his clients and analyzed the attack.
