Adobe warns of unpatched critical flaw in ColdFusion
Cites reports that a public exploit is already available for the vulnerability that could give hackers access to sensitive data
IDG News Service - Adobe has warned users of its ColdFusion application server platform of a critical vulnerability that could give unauthorized users access to sensitive files stored on their servers.
The vulnerability is identified as CVE-2013-3336 and affects ColdFusion 10, 9.0.2, 9.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX, Adobe said in an advisory published Wednesday.
The company credited Marcin Siedlarz of Symantec's Security Response team with reporting the issue. "There are reports that an exploit for this vulnerability is publicly available," Adobe said.
The company is working on a fix and expects to release it publicly on May 14. Until then, customers are advised to restrict public access to certain sensitive directories like CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted.
Information on how to restrict access to these directories is provided in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide. Customers who hardened their ColdFusion installations following the guidance provided in these technical documents are already protected against CVE-2013-3336, Adobe said.
Even though it's not as widely used as some other Adobe products, ColdFusion has been targeted by hackers in the past. In April, virtual private server hosting company Linode reported that hackers gained access to its Web server and customer database by exploiting a previously unknown ColdFusion vulnerability.
In January, Adobe issued a security advisory warning customers about four previously unknown ColdFusion vulnerabilities that were being actively exploited by attackers. The mitigation steps recommended at the time also involved disabling external access to the /CFIDE/administrator and /CFIDE/adminapi directories.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts