{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2019-006.pdf"
    },
    "title": "Adobe ColdFusion Critical Arbitrary Code Execution",
    "serial_number": "2019-006",
    "publish_date": "11-03-2019 09:24:00",
    "description": "A critical vulnerability (CVE-2019-7816) in the web application development platform Adobe ColdFusion has been recently patched. The vulnerability allows attackers to execute arbitrary code bypassing a file upload restriction. Adobe released a Security Bulletin that provides related information on the available patching of the affected versions.",
    "url_title": "2019-006",
    "content_markdown": "---\ntitle: 'Adobe ColdFusion Critical\u00a0Arbitrary\u00a0Code\u00a0Execution'\nversion: '1.0'\nnumber: '2019-006'\ndate: 'March 7, 2019'\n---\n\n_History:_\n\n* _7/03/2019 --- v1.0 -- Initial publication_\n\n# Summary\n\nA critical vulnerability (CVE-2019-7816) [1, 2] in the web application development platform Adobe ColdFusion has been recently patched. The vulnerability allows attackers to execute arbitrary code bypassing a file upload restriction. Adobe released a Security Bulletin [3] that provides related information on the available patching of the affected versions.\n\n# Technical Details\n\nThe flaw allows a perpetrator to bypass file upload restrictions on the vulnerable server. A well-known attack method can be implemented by uploading malicious code to a web-accessible directory and then execute it on the targeted server.\n\nThe solution is to protect/filter file uploading and restrict permissions on executing code on the server [4]. Update of the ColdFusion installations is mandatory and of high priority according to Adobe [3].\n\n# Products Affected\n\nThe vulnerability affects ColdFusion 2018 update 2 and earlier, ColdFusion 2016 update 9 and earlier, as well as ColdFusion 11 update 17 and earlier versions.\n\n# Recommendations\n\nIt is highly recommended to update ColdFusion 2018 to update 3, ColdFusion 2016 to update 10 and ColdFusion 11 to update 18.  \n\n# References\n\n[1] <https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/>\n\n[2] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7816>\n\n[3] <https://helpx.adobe.com/security/products/coldfusion/apsb19-14.html>\n\n[4] <https://www.carehart.org/blog/client/index.cfm/2019/3/1/urgent_CF_security_update_Part_1>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>7/03/2019 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>A critical vulnerability (CVE-2019-7816) [1, 2] in the web application development platform Adobe ColdFusion has been recently patched. The vulnerability allows attackers to execute arbitrary code bypassing a file upload restriction. Adobe released a Security Bulletin [3] that provides related information on the available patching of the affected versions.</p><h2 id=\"technical-details\">Technical Details</h2><p>The flaw allows a perpetrator to bypass file upload restrictions on the vulnerable server. A well-known attack method can be implemented by uploading malicious code to a web-accessible directory and then execute it on the targeted server.</p><p>The solution is to protect/filter file uploading and restrict permissions on executing code on the server [4]. Update of the ColdFusion installations is mandatory and of high priority according to Adobe [3].</p><h2 id=\"products-affected\">Products Affected</h2><p>The vulnerability affects ColdFusion 2018 update 2 and earlier, ColdFusion 2016 update 9 and earlier, as well as ColdFusion 11 update 17 and earlier versions.</p><h2 id=\"recommendations\">Recommendations</h2><p>It is highly recommended to update ColdFusion 2018 to update 3, ColdFusion 2016 to update 10 and ColdFusion 11 to update 18. </p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/\">https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7816\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7816</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://helpx.adobe.com/security/products/coldfusion/apsb19-14.html\">https://helpx.adobe.com/security/products/coldfusion/apsb19-14.html</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.carehart.org/blog/client/index.cfm/2019/3/1/urgent_CF_security_update_Part_1\">https://www.carehart.org/blog/client/index.cfm/2019/3/1/urgent_CF_security_update_Part_1</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}