ColdFusion security HotFix may generate problems
Adobe released yesterday security hotfixes for ColdFusion 10, ColdFusion 11 and ColdFusion 2016. These patches address an issue that could be used in cross-site scripting attacks and contain an updated version of Apache BlazeDS to alleviate java deserialization. Some ColdFusion owners got their hands tangled up while trying to apply the patches.
Applying patches and executing hotfixes for ColdFusion doesn’t always go smoothly. If you, the business owner attempt to execute them without prior experience you might end up with errors, or simply “break” something. Contacting Adobe to fix a ColdFusion issue doesn’t come cheap, unless you are already paying the thousands-of-dollars per year Maintenance or Support packages. Adobe recommends that ColdFusion customers engage a Technician or a ColdFusion Company to apply the appropriate hotfix .
According to Adobe’s Security Bulletin, the hotfixes apply to Update 3 and earlier versions of ColdFusion’s 2016 release, Update 11 and earlier versions of ColdFusion 11, and Update 22 of ColdFusion 10. Adobe encourages customers to update ColdFusion, apply the requisite security configuration settings, and review Lockdown guides specific to their installation.
This is Adobe’s new security update for 2017, since last December when the ColdFusion fix patched a vulnerability that could have led to information disclosure. The ColdFusion update is the second that Adobe has released this month. Adobe patched many vulnerabilities, including a host of code execution bugs. Flash Player, Acrobat/Reader, Photoshop, Adobe Campaign, and Adobe’s Creative Cloud App all received updates as part of the regularly scheduled update.
Vulnerabilities in ColdFusion shouldn’t be neglected, and should be installed by experienced Technicians. If you need assistance, Ecom Solutions can help. You can always Email us or simply fill out a Request Form.