First published: Thu Apr 27 2017(Updated: )
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.
Credit: psirt@adobe.com
Affected Software | Affected Version | How to fix |
---|---|---|
Adobe ColdFusion | =10.0 | |
Adobe ColdFusion | =10.0-update1 | |
Adobe ColdFusion | =10.0-update10 | |
Adobe ColdFusion | =10.0-update11 | |
Adobe ColdFusion | =10.0-update12 | |
Adobe ColdFusion | =10.0-update13 | |
Adobe ColdFusion | =10.0-update14 | |
Adobe ColdFusion | =10.0-update15 | |
Adobe ColdFusion | =10.0-update16 | |
Adobe ColdFusion | =10.0-update17 | |
Adobe ColdFusion | =10.0-update18 | |
Adobe ColdFusion | =10.0-update19 | |
Adobe ColdFusion | =10.0-update2 | |
Adobe ColdFusion | =10.0-update20 | |
Adobe ColdFusion | =10.0-update21 | |
Adobe ColdFusion | =10.0-update22 | |
Adobe ColdFusion | =10.0-update3 | |
Adobe ColdFusion | =10.0-update4 | |
Adobe ColdFusion | =10.0-update5 | |
Adobe ColdFusion | =10.0-update6 | |
Adobe ColdFusion | =10.0-update7 | |
Adobe ColdFusion | =10.0-update8 | |
Adobe ColdFusion | =10.0-update9 | |
Adobe ColdFusion | =11.0 | |
Adobe ColdFusion | =11.0-update1 | |
Adobe ColdFusion | =11.0-update10 | |
Adobe ColdFusion | =11.0-update11 | |
Adobe ColdFusion | =11.0-update2 | |
Adobe ColdFusion | =11.0-update3 | |
Adobe ColdFusion | =11.0-update4 | |
Adobe ColdFusion | =11.0-update5 | |
Adobe ColdFusion | =11.0-update6 | |
Adobe ColdFusion | =11.0-update7 | |
Adobe ColdFusion | =11.0-update8 | |
Adobe ColdFusion | =11.0-update9 | |
Adobe ColdFusion | =2016 | |
Adobe ColdFusion | =2016-update1 | |
Adobe ColdFusion | =2016-update2 | |
Adobe ColdFusion | =2016-update3 | |
Adobe ColdFusion |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-3066 is classified as critical due to its potential for arbitrary code execution.
To mitigate CVE-2017-3066, update Adobe ColdFusion to a version that has addressed this vulnerability.
CVE-2017-3066 affects Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, and ColdFusion 10 Update 22 and earlier.
Successful exploitation of CVE-2017-3066 could allow attackers to execute arbitrary code on the affected system.
While a specific workaround for CVE-2017-3066 is not provided, limiting access to the affected services can help reduce the risk until an update is applied.