Adobe Issues Out-of-Band Security Bulletin for Critical ColdFusion Vulnerability (CVE-2019-7816)
Adobe Security Bulletin APSB19-14 addresses a file upload restriction bypass vulnerability that has been exploited in the wild.
Background
On March 1, Adobe published APSB19-14, an out-of-band security bulletin to address a critical vulnerability in Adobe ColdFusion. Affected versions include ColdFusion 2018 Update 2 and earlier, ColdFusion 2016 Update 9 and earlier, and ColdFusion 11 Update 17 and earlier.
Analysis
This security bulletin addresses CVE-2019-7816, a file upload restriction bypass vulnerability. Exploitation of this vulnerability could allow an attacker to gain arbitrary code execution “in the context of the running ColdFusion service.” According to Adobe, they are aware of a report that this vulnerability has been exploited in the wild.
In order to exploit the vulnerability, an attacker would need to be able to upload a malicious file to a directory that is publicly accessible and then execute that file remotely.
Solution
Adobe has released security the following updates for Cold Fusion 2018, 2016 and 11 to address this vulnerability:
Tenable recommends users to upgrade to these versions of ColdFusion as soon as possible.
Additionally, users are advised to modify settings to prevent users from making HTTP requests to directories that contain uploaded files.
Identifying affected systems
A list of Nessus plugins to identify this vulnerability will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Related Articles
Volt Typhoon: What State and Local Government Officials Need to Know
November 19, 2024Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.
Cybersecurity Snapshot: Guide Unpacks Event-Logging Best Practices, as FAA Proposes Stronger Cyber Rules for Airplanes
August 23, 2024Looking to sharpen your team’s event logging and threat detection? A new guide offers plenty of best practices. Plus, the FAA wants airplanes to be more resilient to cyberattacks. Meanwhile, check out the critical vulnerabilities Tenable discovered in two Microsoft AI products. And get the latest on ransomware trends, vulnerability management practices and election security!
Detecting Risky Third-party Drivers on Windows Assets
August 7, 2024Kernel-mode drivers are critical yet risky components of the Windows operating system. Learn about their functionality, the dangers they pose, and how Tenable's new plugins can help identify and mitigate vulnerabilities using community-driven resources like LOLDrivers.
Walking the Walk: How Tenable Embraces Its "Secure by Design" Pledge to CISA
November 25, 2024As a cybersecurity leader, Tenable was proud to be one of the original signatories of CISA’s “Secure by Design" pledge” earlier this year. Our embrace of this pledge underscores our commitment to security-first principles and reaffirms our dedication to shipping robust, secure products that our users can trust. Read on to learn how we’re standing behind our pledge.
Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps
November 22, 2024Don’t miss OWASP’s update to its “Top 10 Risks for LLMs” list. Plus, the ranking of the most harmful software weaknesses is out. Meanwhile, critical infrastructure orgs have a new framework for using AI securely. And get the latest on the BianLian ransomware gang and on the challenges of protecting water and transportation systems against cyberattacks.
Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps
November 21, 2024A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning