Adobe Coldfusion BlazeDS Java Object Deserialisation RCE

Adobe ColdfusionAdobe ColdFusion is a commercial rapid web application development platform created by JJ Allaire in 1995. (The programming language used with that platform is also commonly called ColdFusion, though is more accurately known as CFML.) it was originally designed to make it easier to connect simple HTML pages to a database. By Version 2 (1996), it became a full platform that included an IDE in addition to a full scripting language.

Adobe Coldfusion, a commercial Rapid Web Technology Application Development Platform created by Adobe is affected to a Java Deserialisation Flaw in its Apache BlazeDS Library when it handles untrusted Java Objects which further gives Attacker the permission to attack remotely as a Remote Code Execution Vulnerability.

Affected Platforms

  • Adobe CF 2016 Update 3 and earlier
  • Adobe CF 11 update 11 and earlier
  • CF 10 Update 22 and earlier

Lab Environment

Security Patches : Upgrade to Adobe ColdFusion version 10 update 23 / 11 update 12 / 2016 update 4 or later.