Adobe Flash and ColdFusion closed dangerous vulnerabilities

Adobe released updates for Flash Player and the ColdFusion platform, which featured bugs that threaten the execution of arbitrary code.

In total developer eliminated 11 vulnerabilities in three products, including Adobe Campaign marketing solution. As a result, new set of planned patches turned out to be much more modest than the previous one – in May, Adobe reported about closing 87 gaps.

Among new vulnerabilities, the most dangerous are those found in the commercial Adobe ColdFusion platform, designed to accelerate development of web applications.

“Adobe released security updates for ColdFusion 2018, 2016 and 11, these updates address three critical vulnerabilities that could lead to the execution of arbitrary code”, – the bulletin said.

Bugs are classified as traversing the blacklist of file extensions (CVE-2019-7838), the ability to inject commands (CVE-2019-7839), and deserialize untrusted data (CVE-2019-7840). Patches are included in the ColdFusion 2018 Update 4, ColdFusion 2016 Update 11 and ColdFusion 11 Update 19 updates. Developer recommends installing them ASAP, as the product is at high risk.

Equally dangerous is the possibility of using freed up memory in Adobe Flash (CVE-2019-7845); a participant in the Zero Day Initiative (ZDI) project who wished to remain anonymous revealed it.

“The use-after-free vulnerability manifests itself when processing LocalConnection objects. By performing actions in ActionScript, an attacker can cause the pointer to be reused after it is released. Vulnerability allows you to execute any code in the context of the current process”, – explained ZDI representative Dustin Childs.

This problem is relevant for desktop and Flash Player browser of all previous releases; Users are strongly advised to install update 32.0.0.207.

The remaining vulnerabilities were found in the Adobe Campaign package, designed to facilitate creation of multi-channel and personalized messages, as well as their management. This is a critical command injection bug (CVE-2019-7850), five errors fraught with information disclosure (two assessed as significant, three as moderately dangerous), as well as the possibility of XML injections, which allows to get reading access to an arbitrary file system object.

Vulnerabilities are subject to Adobe Campaign Classic 18.10.5-8984 and earlier builds installed on Windows and Linux. Problems solved with installation of update 19.1.1-9026.

Source: https://helpx.adobe.com