Adobe has released an emergency out-of-band update for its ColdFusion development platform to patch a zero-day vulnerability which was being exploited in the wild.
According to Adobe the vulnerability is described as a “file upload restriction bypass” and was given the severity critical. The attack involves uploading executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.
The zero-day vulnerability which has been dubbed as CVE-2019-7816, affects the current three versions of the ColdFusion platform that are still maintained — ColdFusion 11, 2016, and 2018.
The ColdFusion 11 Update 18, ColdFusion 2016 Update 10, and ColdFusion 2018 Update 3 versions has been released by Adobe to patch the bug. All the earlier versions are vulnerable to this attack.
The usual patch day of Adobe of this month is supposed to be on March 12 same as that of Microsoft’s Patch Tuesday.
The credit for finding the zero-day has been given to five researchers –Charlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek, and Bridge Catalog Team. They are not security researchers who normally discover and report active zero-day exploitation but are ColdFusion developers and support specialists.
It was in November 2018 that a Chinese nation-state cyber-espionage group exploited a similar ColdFusion file upload vulnerability to take over vulnerable servers which had not updated the Adobe’s September 2018 security updates.
However, Adobe has not disclosed how this zero-day was exploited in the wild.