DataBank Security Bulletin: Adobe ColdFusion Vulnerability
Adobe ColdFusion Vulnerability – CVE-2019-7838, CVE-2019-7839, CVE-2019-7840/ APSB19-27
On June 11, 2019, Adobe released patches for ColdFusion 11, ColdFusion 2016, and ColdFusion 2018 that addresses a critical vulnerability in these versions that allow for arbitrary code execution. More information can be can found at the following link: https://helpx.adobe.com/security/products/coldfusion/apsb19-27.html
Adobe has labeled this patch as a priority 2 patch.
Is my server affected?
If your server is running ColdFusion 2018, ColdFusion 2016, or ColdFusion 11, your server may be affected. To check, log in to your ColdFusion admin for each instance and navigate to Server Update > Updates. From there, click Check for Updates and check your version against the affected version table below:
|ColdFusion 2018||Update 3 and earlier versions||All|
|ColdFusion 2016||Update 10 and earlier versions||All|
|ColdFusion 11||Update 18 and earlier versions||All|
My server is affected. What needs to be done to mitigate the vulnerability?
First, it is recommended to read the release notes as ColdFusion will need to be running a specific version of Java for the patch to work properly. If Java is not updated and the patch listed above is run, your server is NOT protected. Java patching is a prerequisite to the patch. The security updates require JDK 8u121 or higher (for ColdFusion 2016) and JDK 7u131 or JDK 8u121 (for ColdFusion 11).
Once Java has been updated, navigate into each ColdFusion instance and log in. Click Server Update > Updates. From there, click Check for Updates and apply the update. This will require a ColdFusion restart. Once done, confirm that the version of ColdFusion is updated to the version listed in the below table:
|Product||Updated Version||Platform||Priority rating||Availability|
|ColdFusion 2018||Update 4||All||2||Tech note|
|ColdFusion 2016||Update 11||All||2||Tech note|
|ColdFusion 11||Update 19||All||2||Tech note|
What if I need help applying the update?
DataBank has partnered with CF Webtools, an Adobe partner to help with these ColdFusion and Java updates. CF Webtools can be reached by phone at 402.932.3386 or by sending an email to email@example.com.
For Databank customers that have subscribed to 24/7 ColdFusion Support, DataBank will honor these obligations through the CF Webtools partnership. You should expect a ticket from DataBank in the coming days requesting permission to proceed with the update, including timing. You may opt out of the update when the ticket arrives.
For those customers that have not subscribed to 24/7 ColdFusion Support from DataBank, you may contact CF Webtools directly for assistance with updates. CFWebtools will guide you through their process, including making arrangements for payment directly with CF Webtools.