Adobe 发布 ColdFusion 严重漏洞 (CVE-2019-7816) 的带外安全性公告
Adobe Security Bulletin APSB19-14 addresses a file upload restriction bypass vulnerability that has been exploited in the wild.
背景
On March 1, Adobe published APSB19-14, an out-of-band security bulletin to address a critical vulnerability in Adobe ColdFusion. Affected versions include ColdFusion 2018 Update 2 and earlier, ColdFusion 2016 Update 9 and earlier, and ColdFusion 11 Update 17 and earlier.
分析
This security bulletin addresses CVE-2019-7816, a file upload restriction bypass vulnerability. Exploitation of this vulnerability could allow an attacker to gain arbitrary code execution “in the context of the running ColdFusion service.” According to Adobe, they are aware of a report that this vulnerability has been exploited in the wild.
In order to exploit the vulnerability, an attacker would need to be able to upload a malicious file to a directory that is publicly accessible and then execute that file remotely.
解决方案
Adobe has released security the following updates for Cold Fusion 2018, 2016 and 11 to address this vulnerability:
Tenable recommends users to upgrade to these versions of ColdFusion as soon as possible.
Additionally, users are advised to modify settings to prevent users from making HTTP requests to directories that contain uploaded files.
识别受影响的系统
A list of Nessus plugins to identify this vulnerability will appear here as they’re released.
获取更多信息
加入 Tenable Community 中的 Tenable 安全响应团队
了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息,全面管理现代攻击面。
Get a free 60-day trial of Tenable.io Vulnerability Management.
Satnam Narang
安全响应高级员工研究工程师
Satnam 于 2018 年入职 Tenable。他有 15 年以上的行业经验(M86 Security 和 Symantec)。 他为反网络钓鱼工作组做出了贡献,助力国家网络安全联盟开发了一个社交网络指南,在 Twitter 上发现了一个巨大的垃圾邮件僵尸网络,并且是在 Tinder 上报告垃圾邮件僵尸网络第一人。 他还参加过 NBC Nightly News、Entertainment Tonight、Bloomberg West 和 Why Oh Why 的节目。
工作外兴趣:Satnam 写写诗,创作嘻哈音乐。他喜欢观看实况音乐,花时间教育三个侄女,享受足球和篮球带来的快乐,观看和收听宝莱坞电影和音乐以及 Grogu (Baby Yoda)。
相关文章
Volt Typhoon: What State and Local Government Officials Need to Know
Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.
Cybersecurity Snapshot: Guide Unpacks Event-Logging Best Practices, as FAA Proposes Stronger Cyber Rules for Airplanes
Looking to sharpen your team’s event logging and threat detection? A new guide offers plenty of best practices. Plus, the FAA wants airplanes to be more resilient to cyberattacks. Meanwhile, check out the critical vulnerabilities Tenable discovered in two Microsoft AI products. And get the latest…
Detecting Risky Third-party Drivers on Windows Assets
Kernel-mode drivers are critical yet risky components of the Windows operating system. Learn about their functionality, the dangers they pose, and how Tenable's new plugins can help identify and mitigate vulnerabilities using community-driven resources like LOLDrivers.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning
Contact our sales team