Critical Adobe ColdFusion Updates Released for 2021 (Update 6)/2018 (Update 16)

Keeping your ColdFusion server updated is critical in ensuring that your website is secure and running smoothly. Adobe regularly releases updates for ColdFusion, and it is important to keep up with these updates to keep your server secure. Today, I wanted to discuss the latest ColdFusion updates and the importance of critical security updates.

Now, let’s talk about the latest updates for ColdFusion and the vulnerabilities being addressed. The latest updates address several critical vulnerabilities that could lead to arbitrary code execution and memory leaks. The vulnerabilities are categorized as follows:

1. Deserialization of Untrusted Data (CWE-502): This vulnerability allows an attacker to execute arbitrary code on the server. The severity of this vulnerability is critical, with a CVSS base score of 9.8. The CVE number associated with this vulnerability is CVE-2023-26359. Learn more about this vulnerability.
2. Improper Access Control (CWE-284): This vulnerability also allows an attacker to execute arbitrary code on the server. The severity of this vulnerability is critical, with a CVSS base score of 8.6. The CVE number associated with this vulnerability is CVE-2023-26360. Learn more about this vulnerability.
3. Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22): This vulnerability causes a memory leak which can lead to ColdFusion OutOfMemory errors. Although the severity of this vulnerability is not as high as the others, it is still important to address it at your earliest convenience. The severity of this vulnerability is important, with a CVSS base score of 4.9. The CVE number associated with this vulnerability is CVE-2023-26361. Learn more about this vulnerability.

Adobe also recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. It is important to note that applying the ColdFusion update without a corresponding JDK update will not secure the server. So, it’s crucial to apply both updates to make sure your server is secure.

In addition to the Security Vulnerabilities being addressed in the latest updates, Adobe has disabled the ColdFusion cfclient tag by default. If your application does not utilize the cfclient tag, then no further action is required on your side. If your application incorporates the usage of the cfclient tag, then you will need to explicitly enable it within your server’s ColdFusion JVM configuration file. The flag for enabling cfclient again can be found below:

-Dcoldfusion.cfclient.enable=true/false

This flag will enable cfclient on your ColdFusion server again but the default behavior will only allow ColdFusion components (*.cfc) to be read. In order to allow other files to be read by cfclient, you can set the following JVM flag:

-Dcoldfusion.cfclient.allowNonCfc=true/false

xByte Hosting has outlined how users can update their ColdFusion Server to the latest available hotfix in their article “How to Apply ColdFusion Updates/Hotfixes” that you can refer to when applying the latest available updates.

Applying the latest security updates to your server is critical and should be treated as a high priority. Adobe has acknowledged that there are instances of these vulnerabilities being exploited in the wild already. The nature of the vulnerabilities outlined above could allow an attacker to execute arbitrary code on your ColdFusion server leading to the exposure of sensitive data or the complete takeover of your server or servers by an attacker. Therefore, it is important to apply these updates at your earliest convenience to ensure the security of your ColdFusion server.

If you have any questions or concerns related to the latest ColdFusion update or how to apply the latest ColdFusion update, please don’t hesitate to reach out to our ColdFusion experts.

Don’t wait, update your ColdFusion server today!