Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0978 Security updates available for ColdFusion | APSB20-16 19 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ColdFusion 2016 ColdFusion 2018 Publisher: Adobe Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-3794 CVE-2020-3761 Original Bulletin: https://helpx.adobe.com/security/products/coldfusion/apsb20-16.html - --------------------------BEGIN INCLUDED TEXT-------------------- Security updates available for ColdFusion | APSB20-16 +-----------+--------------+--------+ |Bulletin ID|Date Published|Priority| +-----------+--------------+--------+ |APSB20-16 |March 17, 2020|2 | +-----------+--------------+--------+ Summary Adobe has released security updates for ColdFusion versions 2016 and 2018. These updates resolve multiple critical vulnerabilities that could lead to arbitrary code execution. Affected Versions +---------------+-----------------------------+--------+ |Product |Update number |Platform| +---------------+-----------------------------+--------+ |ColdFusion 2016|Update 13 and earlier version|All | +---------------+-----------------------------+--------+ |ColdFusion 2018|Update7and earlier versions |All | +---------------+-----------------------------+--------+ Note: ColdFusion servers deployed with the recommended lockdown installer are not impacted by these vulnerabilities. Solution Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions: +-----------------+-----------------+---------+-----------------+-------------+ | Product | Updated Version |Platform | Priority rating |Availability | +-----------------+-----------------+---------+-----------------+-------------+ |ColdFusion 2016 |Update 14 |All |2 |Tech note | +-----------------+-----------------+---------+-----------------+-------------+ |ColdFusion 2018 |Update 8 |All |2 |Tech note | +-----------------+-----------------+---------+-----------------+-------------+ Note: Adobere commend supdating your ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.Seethe relevant Tech Notes for more details. JEE Application Servers: Users having JEE ColdFusion deployments (such as Tomcat, JBoss EAP) can refer to the instructions in https://helpx.adobe.com/coldfusion/kb/ coldfusion-2018-update-8.html#jee ColdFusion 11 ColdFusion 11 users are recommended to apply the mitigations steps outlined in https://helpx.adobe.com/coldfusion/kb/coldfusion-11-mitigation-steps.html Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides. o ColdFusion 2018 Auto-Lockdown guide o ColdFusion 2016 Lockdown Guide Vulnerability Details +-------------+-------------------------------+--------+----------------------+ |Vulnerability| Vulnerability Impact |Severity| CVE Numbers | | Category | | | | +-------------+-------------------------------+--------+----------------------+ |Remote file |Arbitrary file read from the |Critical|CVE-2020-3761 | |read |Coldfusion install directory | | | +-------------+-------------------------------+--------+----------------------+ |File |Arbitrary code execution of | | | |inclusion |files located in the webroot or|Critical|CVE-2020-3794 | | |its subdirectory | | | +-------------+-------------------------------+--------+----------------------+ Acknowledgements Adobe would like to thank Wang Cheng of Venustech ADLab (CVE-2020-3761, CVE-2020-3794) for reporting these issues and for working with Adobe to help protect our customers. ColdFusion JDK Requirement COLDFUSION 2018 HF1 and above For Application Servers On JEE installations, set the following JVM flag, "-Djdk.serialFilter= ! org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**", in the respective startup file depending on the type of Application Server being used. For example: Apache Tomcat Application Server: edit JAVA_OPTS in the 'Catalina.bat/sh' file WebLogic Application Server: edit JAVA_OPTIONS in the 'startWeblogic.cmd' file WildFly/EAP Application Server: edit JAVA_OPTS in the 'standalone.conf' file Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation. COLDFUSION 2016 HF7 and above This security update requires ColdFusion to be on JDK 8u121 or higher. Adobe recommends that you must manually update your ColdFusion JDK/JRE to the latest version. In case you do not update the JDK/JRE, simply applying the update would NOT secure the server. For Application Servers Additionally, on JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;! org.apache.commons.beanutils.**", in the respective startup file depending on the type of Application Server being used. For example: On Apache Tomcat Application Server, edit JAVA_OPTS in the 'Catalina.bat/sh' file On WebLogic Application Server, edit JAVA_OPTIONS in the 'startWeblogic.cmd' file On a WildFly/EAP Application Server, edit JAVA_OPTS in the 'standalone.conf' file Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXnMDAmaOgq3Tt24GAQhtRg//WUHmF5RMQTiSDoAttsTUulG9oeh3emqW C1BqajZndT3ovwBWZRn5R2pb7Y5PJtrd3E01Z24K2D9K6LidsdRRn162ylp9oRgJ Bi0ih6ta3UxdD7INv66k0jNPKetX34BIgoTljMt3bugjnwXrKhenEDXpnPeCb3MC 8MUybrgO7n0+y5RgeFdkiS8toIOwXv0fDXRLY31aM+zrpOgNNVjpQEcftRRkJTti eG/0UufGwSgkrAAmTeKTOJ65bnfYs4NLVT/UpEeWSSpfb0bQJVkKtW2zDxYLV7qu tiyo0AJsFGdW9RKqcY+Q5WtidQ/c/jAf0e9REC2rWi/IOkoplU5ZVxpyJyQ7tx2t 0HTpuOvidtNEGl96fMcrhcDclcsYn7MleskS5zryiHNWGSRUgijCpPgB066mpVAb WhR+Ms2PvNZ6Sr2MZZhE7E3PkkfzwaqwlMHTrXfW0BDFdxPCaubgJx2nRghlk8qV I/haIXk+EuzILTWc8qggmVkPsbkv1IF8lEWS/bIlMo2CcAVl3aIZo578txVUjFEJ VnB3UnmqXrH86nMKAIjUx+PumTLiCX5/yBkyZa+9ZSvqdYV7ZBFaELXSy/e5GHxG RrKK3XSvThFfzZADDZ6nzJh+JK+/5+kIPOvkrvSqngc/hd8TF6A70yrNG2MuL/lE eMGNOL9u2rU= =4NqJ -----END PGP SIGNATURE-----