#VU6375 Java deserialization in ColdFusion - CVE-2017-3066

Cybersecurity Help s.r.o.

Published: 2017-04-25 | Updated: 2025-02-24

Vulnerability identifier: #VU6375

Vulnerability risk: High

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2017-3066

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
ColdFusion
Server applications / Application servers

Vendor: Adobe

Description

The disclosed vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient sanitization of user-supplied data within Apache BlazeDS. A remote attacker can execute arbitrary Java code on the vulnerable system.

Mitigation
Install updates from vendor's website:
ColdFusion 10 Update 23
ColdFusion 11 Update 12
ColdFusion (2016 release) Update 4

Vulnerable software versions

ColdFusion: 10 Update 1 - 10.0, 11 Update 1 - 11, 2016 Update 1 - 2016

External links
https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Two vulnerabilities in Adobe ColdFusion