Adobe ColdFusion arbitrary command execution flaws vulnerability 0day(CVE–2017–11283, CVE–2017–11284)early warning-vulnerability warning-the black bar safety net

2017-10-19T00:00:00
ID MYHACK58:62201789628
Type myhack58
Reporter 佚名
Modified 2017-10-19T00:00:00

Description

Adobe ColdFusion in 2017 9 November 12 released a network security update in refer to the previous version, there is a serious deserialization flaws vulnerability bug(CVE-2017-11283, CVE-2017-11284, and may incur long-distance code to fulfill. When applying the Flex integration-do on Remote Adobe LiveCycle Data Management access can be a case were the flaws vulnerability bug impact, the application of the effect will open the RMI-do, the listening port is 1099's. ColdFusion comes with the Java version is too low, not in the deserialization of the previous RMI begging the tools in the examples to stop the inspection. 360CERT Britain at the end elucidating the verification, confirm the flaws vulnerability bug exact, coherent user as soon as possible to stop the update disposal. 0x01 impact version 1. ColdFusion (2016 release) Update 4 and previous versions 2. ColdFusion 11 Update 12 and earlier versions 0x02 flaws vulnerability bug application verification To RMI-do transmission structure good payload to make a brief long distance code to perform validation. ! 0x03 repair plan 1. On the governance page closed Remote Adobe LiveCycle Data Management access 2. Into has latest patch ColdFusion (2016 release) Update 5, ColdFusion 11 Update 13