SecurityTube

Adobe ColdFusion Exploits in Wild; Patch Remains Week Away

JB

Adobe is recommending ColdFusion users apply a series of mitigations to counter active exploits against vulnerabilities in the application server. An advisory was released late Friday night that the trio of flaws are being targeted by attackers, and that the company would not have a patch available for another week.

“We are in the process of finalizing a fix for the issues and expect a hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX will be available on January 15, 2013,” the advisory said.

Two of the vulnerabilities affect ColdFusion 10, 9.0.2, 9.0.1 and 9.0. The first, CVE-2013-0625, could enable an attacker to bypass authentication in place and remotely control a ColdFusion server. CVE-2013-0629, could allow an attacker to access restricted directories on a vulnerable server.

The third vulnerability, CVE-2013-0631, affects versions 9.0.2, 9.0.1 and 9.0 and could lead to a data leak.

“Note that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled, or have no password set,” Adobe said in its advisory.

All of the vulnerabilities were given Adobe’s most critical rating.