Adobe Issues Out-of-Band Security Bulletin for Critical ColdFusion Vulnerability (CVE-2019-7816)
Adobe Security Bulletin APSB19-14 addresses a file upload restriction bypass vulnerability that has been exploited in the wild.
Background
On March 1, Adobe published APSB19-14, an out-of-band security bulletin to address a critical vulnerability in Adobe ColdFusion. Affected versions include ColdFusion 2018 Update 2 and earlier, ColdFusion 2016 Update 9 and earlier, and ColdFusion 11 Update 17 and earlier.
Analysis
This security bulletin addresses CVE-2019-7816, a file upload restriction bypass vulnerability. Exploitation of this vulnerability could allow an attacker to gain arbitrary code execution “in the context of the running ColdFusion service.” According to Adobe, they are aware of a report that this vulnerability has been exploited in the wild.
In order to exploit the vulnerability, an attacker would need to be able to upload a malicious file to a directory that is publicly accessible and then execute that file remotely.
Solution
Adobe has released security the following updates for Cold Fusion 2018, 2016 and 11 to address this vulnerability:
Tenable recommends users to upgrade to these versions of ColdFusion as soon as possible.
Additionally, users are advised to modify settings to prevent users from making HTTP requests to directories that contain uploaded files.
Identifying affected systems
A list of Nessus plugins to identify this vulnerability will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Related Articles
Detecting Risky Third-party Drivers on Windows Assets
August 7, 2024Kernel-mode drivers are critical yet risky components of the Windows operating system. Learn about their functionality, the dangers they pose, and how Tenable's new plugins can help identify and mitigate vulnerabilities using community-driven resources like LOLDrivers.
Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach
August 6, 2024As AI transforms industries, security remains critical. Discover the importance of a security-first approach in AI development, the risks of open-source tools, and how Tenable's solutions can help protect your systems.
EPSS Shows Strong Performance in Predicting Exploits, Says Study from Cyentia and FIRST
July 30, 2024Tenable sponsored research from Cyentia and FIRST, which finds that while vulnerability exploitation is highly variable, EPSS is getting stronger in its ability to predict exploitation.
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning