#VU6375 Java deserialization in ColdFusion
Vulnerability identifier: #VU6375
Vulnerability risk: High
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-502
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
ColdFusion
Server applications /
Application servers
Vendor: Adobe
Description
The disclosed vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient sanitization of user-supplied data within Apache BlazeDS. A remote attacker can execute arbitrary Java code on the vulnerable system.
Mitigation
Install updates from vendor's website:
ColdFusion 10 Update 23
ColdFusion 11 Update 12
ColdFusion (2016 release)
Update 4
Vulnerable software versions
ColdFusion: 10 Update 1 - 10.0, 11 - 11 Update 11, 2016 - 2016 Update 3
External links
http://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
