A Vulnerability in Adobe ColdFusion Could Allow for Arbitrary Code Execution
by CIRT Team
DESCRIPTION:
A vulnerability has been discovered in Adobe ColdFusion, which could
allow for arbitrary code execution. Adobe ColdFusion is a web
application development platform. Successful exploitation of this
vulnerability could result in an attacker executing arbitrary code in
the context of the affected application. Depending on the privileges
associated with the application, an attacker could then install
programs; view, change, or delete data; or create new accounts with full
user rights. Applications that are configured to have fewer user rights
on the system could be less impacted than those that operate with
administrative user rights.
IMPACT:
A vulnerability has been discovered in Adobe ColdFusion, which could
allow for arbitrary code execution. This vulnerability occurs due to
improper input validation. Successful exploitation of this vulnerability
could result in an attacker executing arbitrary code in the context of
the affected application. Depending on the privileges associated with
the application, an attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights.
Applications that are configured to have fewer user rights on the system
could be less impacted than those that operate with administrative user
rights.
SYSTEM AFFECTED:
* ColdFusion 2021 (Version 2021.0.0.323925)
* ColdFusion 2018 (Update 10 and earlier)
* ColdFusion 2016 (Update 16 and earlier)
RECOMMENDATIONS:
We recommend the following actions be taken:
* Install the updates provided by Adobe immediately after appropriate
testing.
* Run all software as a non-privileged user (one without administrative
privileges) to diminish the effects of a successful attack.
* Remind users not to visit un-trusted websites or follow links provided
by unknown or un-trusted sources.
* Inform and educate users regarding the threats posed by hypertext
links contained in emails or attachments especially from un-trusted sources.
* Apply the Principle of Least Privilege to all systems and services.
REFERENCES:
https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21087
Recommended Posts
Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh
06 Nov 2024 - Security Advisories & Alerts