Lucene search

The Hacker NewsTHN:8D8EF435423F6DB5E15E2AD0946F5F48

HistorySep 11, 2018 - 5:25 p.m.

Adobe Issues ColdFusion Software Update for 6 Critical Vulnerabilities

2018-09-1117:25:00

The Hacker News

thehackernews.com

201

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON

Adobe has released September 2018 security patch updates for a total of 10 vulnerabilities in Flash Player and ColdFusion, six of which are rated as critical that affected ColdFusion and could allow attackers to remotely execute arbitrary code on a vulnerable server.

What’s the good news this month for Adobe users?

This month Adobe Acrobat and Reader applications did not receive any patch update, while Adobe Flash Player has received an update for just a single privilege escalation vulnerability (CVE-2018-15967) rated as important.

Secondly, Adobe said none of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild.

Total 9 Security Patches for Adobe ColdFusion

Adobe has addressed a total of nine security vulnerabilities in its ColdFusion web application development platform, six of which are critical, two important and one moderate.

According to the advisory released by Adobe, ColdFusion contained four critical deserialization of untrusted data vulnerabilities (CVE-2018-15965, CVE-2018-15957, CVE-2018-15958, CVE-2018-15959) that could result in arbitrary code execution.

Out of the remaining two critical vulnerabilities addressed in ColdFusion, one is unrestricted file upload flaw (CVE-2018-15961) that could lead to arbitrary code execution, and the other (CVE-2018-15960) could enable arbitrary file overwrite.

The company has also released patches for two “important” security vulnerabilities in ColdFusion–security bypass glitch (CVE-2018-15963) that allows arbitrary folder creation, and directory listing flaw (CVE-2018-15962) that could enable information disclosure–and a moderate information disclosure bug (CVE-2018-15964).

The vulnerabilities impact 2016 (Update 6 and earlier versions) and the July 12 (2018) release of ColdFusion, along with ColdFusion 11 (Update 14 and earlier versions).

Adobe recommends end users and administrators to update their installations to ColdFusion 2018 Update 1, ColdFusion 2016 Update 7, and ColdFusion 11 Update 15.

Adobe Also Patches An important Flaw In Flash Player

Besides ColdFusion, Adobe also released a security update for Flash Player for Windows, macOS, Linux, and Chrome OS, addressing an “important” flaw in all for versions 30.0.0.154 and earlier for Google Chrome, Desktop Runtime, Microsoft Edge and Internet Explorer 11.

The issue is a privilege escalation vulnerability (CVE-2018-15967) that could lead to information disclosure. The company recommends Flash Player users to update to version 31.0.0.208 as soon as possible.