09 May 2013

ColdFusion Bug Allows Full Access to Servers; No Patch Yet

A critical vulnerability in ColdFusion server software versions 10 and below has been identified in production environments. This flaw, also known as CVE-2013-3336, allows an attacker to remotely access files on the vulnerable server.

“There are reports that an exploit for this vulnerability is publicly available.  ColdFusion customers who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories (as outlined in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide) are already mitigated against this issue,” reads the advisory by Adobe.

Adobe’s ColdFusion server software has gained a lot of attention lately. In mid-April, two unpatched flaws in ColdFusion software were used to breach hosting company Linode and snatched hashed passwords, source code snippets and directory listings of some of the company’s customers.

In the light of recent events, Adobe is working on a patch that will apparently become available on Tuesday, May 14, 2013. In the meantime, lock down your machine as described in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.