In an unscheduled security update, Adobe is warning of a critical security flaw in its ColdFusion platform, used for building web applications.
Attackers can use the critical Adobe Cold Fusion defect to launch arbitrary code execution attacks.
The security alert comes 2 weeks after Adobe’s regularly scheduled updates. During these updates, the tech company issued patches for a slew of critical security vulnerabilities, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.
Arbitrary Code Execution
The latest flaw (CVE-2021-21087) exists in Cold Fusion versions 2016 (Update 16 and earlier), 2018 (Update 10 & earlier) & 2021 (Version 2021.0.0.323925) & could lead to arbitrary code execution.
“Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” according to Adobe on Mon.
The vulnerability stems from improper input validation, which is a type of issue (previously plaguing other Adobe products) that occurs when the affected product does not validate input.
This can affect the control flow or data flow of a program & allow for an attacker to launch a slew of malicious attacks. Further information on the flaw – including where in Cold Fusion it exists, & how difficult it is to exploit, were not addressed.
The flaw has been corrected in the following versions of Cold Fusion: Cold Fusion 2016 (update 17), Cold Fusion 2018 (update 11) & Cold Fusion 2021 (update 1).
Adobe explained that the security update is a “priority 2,” meaning that it resolves vulnerabilities “in a product that has historically been at elevated risk” – but for which there are currently no known exploits.
“Based on previous experience, we do not anticipate exploits are imminent,” for “priority 2” updates, stated Adobe. However, “as a best practice, Adobe recommends administrators install the update soon (i.e., within 30 days).”
Adobe has credited Josh Lane with discovering & reporting the flaw.
Web & Mobile Applications
Cold Fusion, a web-programming language providing a platform for building & deploying web & mobile applications, has previously had various security flaws.
In April, Adobe released patches for “important”-severity vulnerabilities in Cold Fusion, which if exploited, could enable attackers to view sensitive data, gain escalated privileges, & launch denial-of-service attacks.
In 2019, Adobe issued unscheduled security updates to fix 2 critical flaws in its Cold Fusion product. The critical vulnerabilities could have allowed an attacker to either execute arbitrary code, or bypass access control on impacted systems.