October 17, 2018

Security updates available for ColdFusion | APSB18-33

On September 11, 2018, Adobe released security updates to ColdFusion 2018, 2016, and 11.  The purpose of these security updates is to patch a vulnerability that could lead to arbitrary code execution.  On September 28, 2018, Adobe has determined that CVE-2018-15961 is being actively exploited in the wild which specifically allows for unrestricted file uploads.  All customers running ColdFusion 2018, ColdFusion 2016, or ColdFusion 11 should update their installs with this security patch.

 

What is the severity of this exploit?

Adobe has raised the severity to level 1 for ColdFusion 2018 and ColdFusion 2016 as this is actively being exploited in the wild as of September 28, 2018.

 

Is my server affected?

If your server is running ColdFusion 2018, ColdFusion 2016, or ColdFusion 11, your server may be affected.  To check, log in to your ColdFusion admin for each instance and navigate to Server Update > Updates.  From there, click Check for Updates.  Below is an example for ColdFusion 11:

My server is affected.  What do I do?

First, read the release notes as ColdFusion will need to be running a specific version of Java for the patch to work properly.  If Java is not updated and the patch listed above is run, your server is NOT protected.  Java being patched is a prerequisite to the patch.

For ColdFusion 2018, Java must be JDK 8u121 or higher.

For ColdFusion 2016, Java must be JDK 8u121 or higher.

For ColdFusion 11, Java must be JDK 7u131 or JDK 8u121 or higher.

More information on Java and the flags necessary for ColdFusion is available in Adobe’s Security Bulletin.

After checking the Java version and ensuring it is updated, go back to ColdFusion admin for each instance.  Find the specific update and click Download and Install.  The process will download the installer and install it for you.  ColdFusion will need to be restarted after this is completed to ensure the patch is up-to-date.

Lastly, after patching, navigate back to ColdFusion admin for each instance.  Click Server Update > Updates.  From there, click Check for Updates and ensure there are no further updates.  If there are other updates, repeat the process.

 

What if I need help applying the update?  Will DataBank Support perform this update for me?

DataBank Support stands ready to assist if needed. To obtain support, navigate to our Customer Portal and submit a ticket or call us at 855.328.2247 and we will be glad to assist.