The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2013-044 - Updated

DATE(S) ISSUED:
5/10/2013
5/15/2013 - UPDATED

SUBJECT:
Vulnerability in Adobe ColdFusion Allows Unauthorized File Access (APSA13-03)

ORIGINAL OVERVIEW:

A vulnerability has been discovered in Adobe ColdFusion that could permit an unauthorized user to remotely retrieve files stored on a server.  Adobe ColdFusion is a widely distributed web application platform used for the development of rich internet applications.  Successful exploitation could result in an attacker gaining access to sensitive information.

It should be noted that there is currently no patch available for this vulnerability and it is currently being exploited in the wild.

May 15 - UPDATED OVERVIEW:
Adobe has released a patch for this vulnerability. It is recommended to apply this patch immediately after appropriate testing.

SYSTEMS AFFECTED:

  • Adobe ColdFusion 10
  • Adobe ColdFusion 9.0.2
  • Adobe ColdFusion 9.0.1
  • Adobe ColdFusion 9

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High (if hosting a website using Adobe ColdFusion)

ORIGINAL DESCRIPTION:
A vulnerability has been discovered in Adobe ColdFusion that could permit an unauthorized user to remotely retrieve files stored on a server.  Using directory traversal techniques an attacker can gain access to directories containing sensitive files and information, including administrator account passwords.  Successful exploitation allows remote users to access files stored within the CFIDE/administrator, CFIDE/adminapi, and CFIDE/gettingstarted directories.

It should be noted that there is currently no patch available for this vulnerability and it is currently being exploited in the wild. Adobe expects to release a fix on May 14, 2013.

May 15 - UPDATED DESCRIPTION
Adobe has released a patch for this vulnerability. It is recommended to apply this patch immediately after appropriate testing.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:

  • Install the appropriate vendor patch as soon as it becomes available after appropriate testing
  • Disable external access to the following directories for all hosted sites:
  • /CFIDE/administrator
  • /CFIDE/adminapi
  • /CFIDE/componentutils
  • Refer to the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide for security best practices and further information on these hardening techniques.

 May 15 - UPDATED RECOMMENDATION:

  • Install the vendor patch after appropriate testing.

ORIGINAL REFERENCES:
Adobe:
http://www.adobe.com/support/security/advisories/apsa13-03.html
http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf
http://www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/CF10%20Lockdown%20Guide.pdf

Security Focus:
http://www.securityfocus.com/bid/59773

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3336

May 15 - UPDATED REFERENCE:

Adobe:
http://www.adobe.com/support/security/bulletins/apsb13-13.html

Deborah A. Snyder

Acting Chief Information Security Officer


 

Cyber Security

GIS