The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2013-111

DATE(S) ISSUED:
11/13/2013

SUBJECT:
Vulnerabilities found in Adobe ColdFusion

OVERVIEW:

Vulnerabilities have been discovered in Adobe ColdFusion that could permit a remote authenticated user to execute reflective cross site scripting attacks as well as a vulnerability that could permit unauthorized remote read access. Adobe ColdFusion is a widely distributed web application platform used for the development of rich internet applications.  Successful exploitation could result in an attacker gaining access to sensitive information.

SYSTEMS AFFECTED:

  • Adobe ColdFusion 10
  • Adobe ColdFusion 9.0.2
  • Adobe ColdFusion 9.0.1
  • Adobe ColdFusion 9

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High (If running ColdFusion server at home)

DESCRIPTION:
Two vulnerabilities have been found in Adobe ColdFusion for Windows, Macintosh and Linux.  The first vulnerability is a reflected cross site scripting vulnerability (CVE-2013-5326) that could be exploited by a remote, authenticated user on ColdFusion 10 and earlier when the CFIDE directory is exposed.  The second vulnerability (CVE-2013-5328) is in ColdFusion 10 and could permit unauthorized remote read access. Successful exploitation could result in an attacker gaining access to sensitive information.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Install the updates provided by Adobe immediately after appropriate testing
  • Block external access to the following folders

/CFIDE/administrator
/CFIDE/adminapi

  • Refer to the ColdFusion 9 Lockdown Guide and the ColdFusion 10 Lockdown Guide for security best practices and further information on these hardening techniques

REFERENCES:

Adobe:
http://www.adobe.com/support/security/bulletins/apsb13-27.html
http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-27.html
ColdFusion 9 Lockdown Guide - http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf
ColdFusion 10 Lockdown Guide - http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf

Secunia:
http://secunia.com/advisories/55624/

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5328

Deborah A. Snyder

Acting Chief Information Security Officer


 

Cyber Security

GIS