Adobe Issues Out-of-Band Patch for Critical ColdFusion Vulnerability

A patch has been issued to correct a critical vulnerability – CVE-2021-21087 – in Adobe ColdFusion that could be exploited by a remote attacker to execute arbitrary code on a vulnerable system. The Adobe ColdFusion platform is used for building web applications and several versions of the platform are affected by the vulnerability.

Vulnerable Adobe ColdFusion Versions:

  • Version 2016 – Update 16 and earlier
  • Version 2018 – Update 10 and earlier
  • Version 2021 – 2021.0.0.323925

There are currently no known cases of the vulnerability being exploited in the wild, but prompt patching is advised. The flaw has been given a priority rating of 2, which means the product has historically been at elevated risk. Adobe does not believe exploitation is imminent but recommends that the update is installed soon – within 30 days.

It is worth noting that ColdFusion servers have been targeted by China-based hackers in the past, for instance, the CVE-2018-15961 flaw was targeted two months after a patch was released and the CVE-2018-4939 flaw in ColdFusion 14 was listed in the NSA’s list of the 25 most targeted vulnerabilities in 2020.  The flaw was considered to be sufficiently severe to warrant an out-of-band update, rather than wait three weeks for the regular Patch Tuesday release.

The flaw is an improper input vulnerability due to ColdFusion not properly validating input, although Adobe has not disclosed any specifics about the flaw, how the flaw could be exploited, or how easy or difficult the flaw is to exploit.

The following versions of Adobe ColdFusion have had the flaw corrected:

  • ColdFusion 2016 – Update 17
  • ColdFusion 2018 – Update 11
  • ColdFusion 2021 – Update 1

It is important to update your ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11, as applying the ColdFusion update without a corresponding JDK update will NOT secure the server.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news