March 11, 2019

ColdFusion CVE-2019-7816

On March 1, 2019, Adobe released patch advisory APSB19-14 for all currently maintained and supported versions of ColdFusion (ColdFusion 11, ColdFusion 2016, and ColdFusion 2018).  The critical patch addresses an issue allowing an attacker to upload a malicious file to a server by bypassing any file restrictions and then executing the attack via an HTTP request.  This is actively being exploited in the wild.

Is my instance of ColdFusion affected?

Any server that is running ColdFusion 11, ColdFusion 2016, or ColdFusion 2018 is affected and should be patched immediately.

What about older versions of ColdFusion?

Older versions of ColdFusion are considered end-of-life and are not being patched by Adobe.  If you are running an older version of ColdFusion, you should upgrade to a supported version.

How do I update ColdFusion?

The easiest way to update ColdFusion is to log into each CF Admin instance and navigate to Updates.  From there, check for updates and apply the patches that are available.  Once done, restart the ColdFusion services.  Specifically, ColdFusion 11 Update 18, ColdFusion 2016 Update 10, and ColdFusion 2018 Update 3 are the patches that address this critical vulnerability.

What if I need assistance in patching ColdFusion?

As always, our engineers can assist you.  Please open a ticket via the customer portal and we would be happy to assist.