Adobe Patches Four ColdFusion Flaws Exploited in Wild

Adobe delivered a security hotfix for its ColdFusion application server today, repairing a host of vulnerabilities being exploited in the wild.

The company had recommended a series of mitigations in a Jan. 7 advisory as a stopgap until today’s hotfix was released.

Two of the vulnerabilities affect ColdFusion 10, 9.0.2, 9.0.1 and 9.0, while the other two do not impact version 10; the hotfix is for Windows, Mac OS X and UNIX.

“This hotfix addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server,” Adobe said in its advisory.

The hotfix repairs two authentication bypass vulnerabilities (CVE 2013-0625 and CVE-201-0632), a directory traversal (CVE-2013-0629) and a data leakage vulnerability (CVE-2013-0631)

“Note that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled, or have no password set,” Adobe said in its advisory. All of the vulnerabilities were given Adobe’s most critical rating.

Adobe, meanwhile, had recommended a series of mitigations that included building credentials for Remote Development Services that are different from those used for the administrator account, and then disabling RDS. Also, users were asked to deny access from outside to directories: /CFIDE/administrator; /CFIDE/adminapi; and /CFIDE/componentutils.

Adobe also recommended any unknown or unnecessary ColdFusion components or templates should be removed from the CFIDE or webroot directories.