ColdFusion Security Hotfix (APSB17–30) Released

Just last week, Adobe released their security updates (APSB17–30) for ColdFusion 2016 and ColdFusion 11. The said update was specifically created to fix two critical and one important issue. However, take note that the ColdFusion 10 and older will be vulnerable to some if not all of the issues. Plus, since the older versions began to become obsolete, there won’t be any additional patches provided.

Adobe also stated that the fixes will be effective only when running the Java 1.8 update 121 or higher (Java 1.7 update 131 or higher but Java 7 is also EOL, which means you need to be running 1.8 if you use CF11+).

Because of the vulnerability of CVE-2017–11286, it is categorized as Improper Restriction of XML External Entity Reference. This can trigger the possibility of XML External Injection that will allow attackers to have access to resources via commands to the XML parser.

The second vulnerability of CVE-2017–11283 and CVE-2017–11284 is that Adobe described it as an “unsafe Java deserialization that could result in remote code execution”. Until now it is unclear if that would affect the use of the serialize() / deserialize () functions or if it will have broader issues.

This article was originally published on TeraTech website. For more info and to listen to the CooldFusion Alive Podcast please visit this link

About me

My name is Michael Smith and I love solving business problems and creating high-quality custom software so I founded TeraTech.

I have worked extensively with ColdFusion, SQL and Visual Basic. I have been programming and doing project management for over 35 years. I have both a Bachelors and Masters degree in math from Cambridge and graduated in the top 10% of my year.

I also teach Kundalini yoga and energy healing. I love helping people grow and transform. Practicing yoga has helped me succeed in IT because it keeps me calm in the middle of high-pressure projects!