Security Update for Adobe ColdFusion (APSB16-30)

ITS Advisory Number: 
2016-145
Date(s) Issued: 
Friday, September 2, 2016
Subject: 
Security Update for Adobe ColdFusion (APSB16-30)
Overview: 

This security update resolves a vulnerability in Adobe ColdFusion versions 10 and 11. This update resolves a critical vulnerability that could lead to information disclosure.

Systems Affected: 
  • Adobe ColdFusion 10 update 20 and earlier

  • Adobe ColdFusion 11 update 9 and earlier

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Adobe has released security hotfixes for ColdFusion versions 10 and 11. These hotfixes resolve a critical vulnerability that could lead to information disclosure (CVE-2016-4264).

 

Successful exploitation of these vulnerabilities could result in an attacker to read arbitrary files or send TCP requests to intranet servers via a crafted Office Open XML (OOXML) spreadsheet containing an external entity declaration in conjunction with an entry reference, related to an XML External Entity (XXE) issue.

Actions: 
  • After appropriate testing, apply applicable patch provided by Adobe to vulnerable systems.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Apply security configuration settings recommended by ColdFusion Security