On TechRepublic: Windows 7: Slower to boot than Vista?
BNET Business Network:
BNET
TechRepublic
ZDNet

August 18th, 2009

Adobe plugs critical ColdFusion, JRun vulnerabilities

Posted by Ryan Naraine @ 12:11 pm

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Flash, Java, Malware, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research

Tags: Adobe Systems Inc., Macromedia JRun, Allaire ColdFusion, Vulnerability, XSS, Cross-site Scripting Vulnerability, Development Tools, Software Development, Software/Web Development, Ryan Naraine

Adobe’s never-ending run on the security treadmill hit a new gear this week with the release of patches to cover serious vulnerabilities in the ColdFusion and JRun web design and development platforms.

The patches, rated critical, cover a total of 7 vulnerabilities, some of which “could lead to the potential compromise of user accounts or the affected system,” according to an advisory from Adobe (Techmeme).  They affect ColdFusion v8.0.1 and earlier versions, and JRun 4.0.

[ SEE: Adobe piggybacks on Microsoft Patch Tuesday ]

The raw details:

  • An update for ColdFusion resolves a cross-site scripting vulnerability that could potentially lead to code execution (CVE-2009-1872).
  • An update for ColdFusion resolves a cross-site scripting vulnerability that could potentially lead to code execution (CVE-2009-1877).
  • An update for JRun resolves a management console directory traversal vulnerability that could potentially lead to information disclosure (CVE-2009-1873).
  • An update for JRun resolves multiple management console cross-site scripting vulnerabilities that could potentially lead to code execution (CVE-2009-1874).
  • An update for ColdFusion resolves multiple cross-site scripting vulnerabilities that could potentially lead to code execution (CVE-2009-1875).
  • An update for ColdFusion resolves a double-encoded null character vulnerability that could potentially lead to information disclosure (CVE-2009-1876).
  • An update for ColdFusion resolves a session fixation vulnerability that could potentially lead to privilege escalation (CVE-2009-1878).

Adobe rates these flaws as “critical” and recommends that affected users patch their installations immediately.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 4 Talkback(s)
RE: Adobe plugs critical ColdFusion, JRun vulnerabilities
There is a handy guide to applying these hotfixes available on the Coldfusion Security.org site at:

Read the rest)
Posted by: coldfusionsecurity.org Posted on: 08/22/09 You are currently: a Guest | | Terms of Use
but only windoze systems are vulnerable  Linux Geek | 08/18/09
Reading difficulties? Platform: All Platforms  honeymonster | 08/18/09
Deleted. (nt)  honeymonster | 08/18/09
RE: Adobe plugs critical ColdFusion, JRun vulnerabilities  coldfusionsecurity.org | 08/22/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More