June 25, 2019

DataBank Security Bulletin: Adobe ColdFusion Vulnerability

Adobe ColdFusion Vulnerability – CVE-2019-7838, CVE-2019-7839, CVE-2019-7840/ APSB19-27

On June 11, 2019, Adobe released patches for ColdFusion 11, ColdFusion 2016, and ColdFusion 2018 that addresses a critical vulnerability in these versions that allow for arbitrary code execution. More information can be can found at the following link: https://helpx.adobe.com/security/products/coldfusion/apsb19-27.html

Adobe has labeled this patch as a priority 2 patch.

 

Is my server affected?

If your server is running ColdFusion 2018, ColdFusion 2016, or ColdFusion 11, your server may be affected.  To check, log in to your ColdFusion admin for each instance and navigate to Server Update > Updates.  From there, click Check for Updates and check your version against the affected version table below: 

 

Product Affected Versions Platform
ColdFusion 2018 Update 3 and earlier versions All
ColdFusion 2016 Update 10 and earlier versions All
ColdFusion 11 Update 18 and earlier versions All

 

My server is affected.  What needs to be done to mitigate the vulnerability?

First, it is recommended to read the release notes as ColdFusion will need to be running a specific version of Java for the patch to work properly.  If Java is not updated and the patch listed above is run, your server is NOT protected.  Java patching is a prerequisite to the patch. The security updates require JDK 8u121 or higher (for ColdFusion 2016) and JDK 7u131 or JDK 8u121 (for ColdFusion 11).

Once Java has been updated, navigate into each ColdFusion instance and log in.  Click Server Update > Updates.  From there, click Check for Updates and apply the update.  This will require a ColdFusion restart.  Once done, confirm that the version of ColdFusion is updated to the version listed in the below table:

Product Updated Version Platform Priority rating Availability
ColdFusion 2018 Update 4 All 2 Tech note
ColdFusion 2016 Update 11 All 2 Tech note
ColdFusion 11 Update 19 All 2 Tech note

 

What if I need help applying the update? 

DataBank has partnered with CF Webtools, an Adobe partner to help with these ColdFusion and Java updates.  CF Webtools can be reached by phone at 402.932.3386 or by sending an email to [email protected].

For Databank customers that have subscribed to 24/7 ColdFusion Support, DataBank will honor these obligations through the CF Webtools partnership. You should expect a ticket from DataBank in the coming days requesting permission to proceed with the update, including timing. You may opt out of the update when the ticket arrives.

For those customers that have not subscribed to 24/7 ColdFusion Support from DataBank, you may contact CF Webtools directly for assistance with updates. CFWebtools will guide you through their process, including making arrangements for payment directly with CF Webtools.