Operating System:

[WIN][UNIX/Linux]

Published:

19 March 2020

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2020.0978 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0978
           Security updates available for ColdFusion | APSB20-16
                               19 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ColdFusion 2016
                   ColdFusion 2018
Publisher:         Adobe
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-3794 CVE-2020-3761 

Original Bulletin: 
   https://helpx.adobe.com/security/products/coldfusion/apsb20-16.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Security updates available for ColdFusion | APSB20-16
+-----------+--------------+--------+
|Bulletin ID|Date Published|Priority|
+-----------+--------------+--------+
|APSB20-16  |March 17, 2020|2       |
+-----------+--------------+--------+

Summary

Adobe has released security updates for ColdFusion versions 2016 and 2018.
These updates resolve multiple critical vulnerabilities that could lead to
arbitrary code execution.

Affected Versions

+---------------+-----------------------------+--------+
|Product        |Update number                |Platform|
+---------------+-----------------------------+--------+
|ColdFusion 2016|Update 13 and earlier version|All     |
+---------------+-----------------------------+--------+
|ColdFusion 2018|Update7and earlier versions  |All     |
+---------------+-----------------------------+--------+

Note:

ColdFusion servers deployed with the recommended lockdown installer are not
impacted by these vulnerabilities.

Solution

Adobe categorizes these updates with the following priority rating and
recommends users update their installations to the newest versions:

+-----------------+-----------------+---------+-----------------+-------------+
|     Product     | Updated Version |Platform | Priority rating |Availability |
+-----------------+-----------------+---------+-----------------+-------------+
|ColdFusion 2016  |Update 14        |All      |2                |Tech note    |
+-----------------+-----------------+---------+-----------------+-------------+
|ColdFusion 2018  |Update 8         |All      |2                |Tech note    |
+-----------------+-----------------+---------+-----------------+-------------+

Note:

Adobere commend supdating your ColdFusion JDK/JRE to the latest version of the
LTS releases for 1.8 and JDK 11. Applying the ColdFusion update without a
corresponding JDK update will NOT secure the server.Seethe relevant Tech Notes
for more details.

JEE Application Servers:

Users having JEE ColdFusion deployments (such as Tomcat, JBoss EAP) can refer
to the instructions in https://helpx.adobe.com/coldfusion/kb/
coldfusion-2018-update-8.html#jee

ColdFusion 11

ColdFusion 11 users are recommended to apply the mitigations steps outlined in
https://helpx.adobe.com/coldfusion/kb/coldfusion-11-mitigation-steps.html

Adobe also recommends customers apply the security configuration settings as
outlined on the ColdFusion Security page as well as review the respective
Lockdown guides.

  o ColdFusion 2018 Auto-Lockdown guide
  o ColdFusion 2016 Lockdown Guide

Vulnerability Details

+-------------+-------------------------------+--------+----------------------+
|Vulnerability|     Vulnerability Impact      |Severity|     CVE Numbers      |
|  Category   |                               |        |                      |
+-------------+-------------------------------+--------+----------------------+
|Remote file  |Arbitrary file read from the   |Critical|CVE-2020-3761         |
|read         |Coldfusion install directory   |        |                      |
+-------------+-------------------------------+--------+----------------------+
|File         |Arbitrary code execution of    |        |                      |
|inclusion    |files located in the webroot or|Critical|CVE-2020-3794         |
|             |its subdirectory               |        |                      |
+-------------+-------------------------------+--------+----------------------+

Acknowledgements

Adobe would like to thank Wang Cheng of Venustech ADLab (CVE-2020-3761,
CVE-2020-3794) for reporting these issues and for working with Adobe to help
protect our customers.

ColdFusion JDK Requirement

COLDFUSION 2018 HF1 and above

For Application Servers

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !
org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**", in
the respective startup file depending on the type of Application Server being
used.

For example:

Apache Tomcat Application Server: edit JAVA_OPTS in the 'Catalina.bat/sh' file

WebLogic Application Server: edit JAVA_OPTIONS in the 'startWeblogic.cmd' file

WildFly/EAP Application Server: edit JAVA_OPTS in the 'standalone.conf' file

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone
installation.

COLDFUSION 2016 HF7 and above

This security update requires ColdFusion to be on JDK 8u121 or higher. Adobe
recommends that you must manually update your ColdFusion JDK/JRE to the latest
version. In case you do not update the JDK/JRE, simply applying the update
would NOT secure the server.

For Application Servers

Additionally, on JEE installations, set the following JVM flag,
"-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!
org.apache.commons.beanutils.**", in the respective startup file depending on
the type of Application Server being used.

For example:

On Apache Tomcat Application Server, edit JAVA_OPTS in the 'Catalina.bat/sh'
file

On WebLogic Application Server, edit JAVA_OPTIONS in the 'startWeblogic.cmd'
file

On a WildFly/EAP Application Server, edit JAVA_OPTS in the 'standalone.conf'
file

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone
installation

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXnMDAmaOgq3Tt24GAQhtRg//WUHmF5RMQTiSDoAttsTUulG9oeh3emqW
C1BqajZndT3ovwBWZRn5R2pb7Y5PJtrd3E01Z24K2D9K6LidsdRRn162ylp9oRgJ
Bi0ih6ta3UxdD7INv66k0jNPKetX34BIgoTljMt3bugjnwXrKhenEDXpnPeCb3MC
8MUybrgO7n0+y5RgeFdkiS8toIOwXv0fDXRLY31aM+zrpOgNNVjpQEcftRRkJTti
eG/0UufGwSgkrAAmTeKTOJ65bnfYs4NLVT/UpEeWSSpfb0bQJVkKtW2zDxYLV7qu
tiyo0AJsFGdW9RKqcY+Q5WtidQ/c/jAf0e9REC2rWi/IOkoplU5ZVxpyJyQ7tx2t
0HTpuOvidtNEGl96fMcrhcDclcsYn7MleskS5zryiHNWGSRUgijCpPgB066mpVAb
WhR+Ms2PvNZ6Sr2MZZhE7E3PkkfzwaqwlMHTrXfW0BDFdxPCaubgJx2nRghlk8qV
I/haIXk+EuzILTWc8qggmVkPsbkv1IF8lEWS/bIlMo2CcAVl3aIZo578txVUjFEJ
VnB3UnmqXrH86nMKAIjUx+PumTLiCX5/yBkyZa+9ZSvqdYV7ZBFaELXSy/e5GHxG
RrKK3XSvThFfzZADDZ6nzJh+JK+/5+kIPOvkrvSqngc/hd8TF6A70yrNG2MuL/lE
eMGNOL9u2rU=
=4NqJ
-----END PGP SIGNATURE-----