Adobe has issued an out-of-band update for its web application platform Coldfusion which fixes two critical vulnerabilities and one important flaw.
One of the critical vulnerabilities is command injection flaw that could lead to remote code execution. The flaw was identified by Badcode of the Knownsec 404 Team and is being tracked as CVE-2019-8073.
The second critical vulnerability, CVE-2019-8074, is a path traversal flaw that could be exploited by an attacker to bypass access controls and remotely execute code on a vulnerable device. The flaw was identified by Daniel Underhay of Aura Information Security and credit was also given to Ben Reid of Techlegalia Pty and Pete Freitag of Foundeo.
The least serious of the three flaws, CVE-2019-8072, is a security bypass vulnerability that could lead to information disclosure. It was discovered by Pete Freitag of Foundeo.
Due to the severity of the flaws and potential for exploitation, Adobe recommends all users update vulnerable versions of Coldfusion as soon as possible. Adobe is unaware of any exploits for the flaws currently being used in the wild, but that may not be the case for long.
The flaws affect Update 4 and prior versions of Coldfusion 2018 and Update 11 and earlier versions of Coldfusion 2016. Coldfusion 2018 users should install Update 5 and Coldfusion 2016 users should install Update 12.
Adobe and Microsoft usually issues their monthly updates on Patch Tuesday, which is the second Tuesday of the month, but additional updates are issued for serious vulnerabilities, especially when vulnerabilities are being actively exploited.
Microsoft also issued an out-of-band update this week to address two critical flaws: A zero-day vulnerability in Internet Explorer – CVE-2019-1367 – which is actively being exploited in the wild and a denial-of-service flaw, CVE-2019-1255, affecting Microsoft Defender. The IE flaw could be exploited by an attacker if the current user is logged on with administrative user rights and could lead to a complete takeover of a vulnerable device. Updates to correct the two flaws were released by Microsoft on Monday.