CVE-2017-3066

Name of the Vulnerable Software and Affected Versions Adobe ColdFusion versions 2016 Update 3 and earlier Adobe ColdFusion versions 11 update 11 and earlier Adobe ColdFusion versions 10 Update 22 and earlier

Description The issue is related to insufficient access control in the Apache BlazeDS library used by Adobe ColdFusion, which can lead to arbitrary code execution due to Java deserialization vulnerability. This can be exploited by a remote attacker. The vulnerability has been known since 2017 but still poses a threat to unpatched systems. It allows attackers to execute arbitrary code through HTTP requests due to an error in data processing. There have been instances where hackers have actively exploited similar vulnerabilities in Oracle Agile PLM, indicating a heightened interest in this product.

Recommendations For Adobe ColdFusion 2016 Update 3 and earlier, update to a version later than Update 3 to fix the Java deserialization vulnerability in the Apache BlazeDS library. For Adobe ColdFusion 11 update 11 and earlier, update to a version later than update 11 to fix the Java deserialization vulnerability in the Apache BlazeDS library. For Adobe ColdFusion 10 Update 22 and earlier, update to a version later than Update 22 to fix the Java deserialization vulnerability in the Apache BlazeDS library. As a temporary workaround, consider restricting access to the Apache BlazeDS library until a patch is available.