Security Update: Hotfix Available for ColdFusion

ITS Advisory Number: 
2015-141
Date(s) Issued: 
Friday, November 20, 2015
Subject: 
Security Update: Hotfix Available for ColdFusion
Overview: 

Adobe has released a security hotfix for ColdFusion versions 10 and 11 that could prevent cross-site scripting attacks as well as a Server-side request forgery. Adobe ColdFusion is a widely distributed web application platform used for the development of rich internet applications. Successful exploitation could result in an attacker gaining access to sensitive information.

Systems Affected: 
  • Adobe ColdFusion 11

  • Adobe ColdFusion 10

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High (If running Coldfusion server at home)
Description: 

This hotfix resolves two input validation issues (CVE-2015-8052 and CVE-2015-8053 that could be used in reflected cross-site scripting attacks. The update also includes a fix for BlazeDS which resolves a Server-side Request Forgery vulnerability (CVE-2015-5255). Successful exploitation could result in an attacker gaining access to sensitive information.

Actions: 
  • Install the updates provided by Adobe immediately after appropriate testing

  • Refer to the ColdFusion 11 Lockdown Guide and the ColdFusion 10 Lockdown Guide for security best practices and further information on these hardening techniques