This week marks the latest Patch Tuesday, which brings significant updates from Adobe aimed at addressing numerous security vulnerabilities across its key software products. In June 2019, Adobe unveiled updates to fix 11 identified vulnerabilities spread across Adobe ColdFusion, Flash Player, and Adobe Campaign.
Among these vulnerabilities, three critical flaws within Adobe ColdFusion—a platform designed for rapid web application development—have been highlighted. These vulnerabilities have been deemed critical due to their potential to facilitate arbitrary code execution attacks, posing a noteworthy risk to users and organizations reliant on this software.
The vulnerabilities affecting ColdFusion include a file extension blacklist bypass (CVE-2019-7838), a command injection issue present in ColdFusion versions 2016 and 2018 (CVE-2019-7839), and a deserialization flaw that could similarly lead to arbitrary code execution (CVE-2019-7840). Each of these vulnerabilities is characterized by its ability to be exploited if attacked adequately, heightening the urgency for organizations to implement the provided patches.
In addition to ColdFusion, Adobe has addressed a significant vulnerability in its widely used Flash Player software—specifically CVE-2019-7845—which bears critical implications as it may also lead to arbitrary code execution on Windows, macOS, Linux, or Chrome OS systems. This vulnerability was reported by an anonymous security researcher and is now patchable through the updated version 32.0.0.207 of Flash Player.
Further to these updates, Adobe has published fixes addressing seven vulnerabilities within Adobe Campaign Classic, a sophisticated cross-channel marketing management platform. Among these vulnerabilities, the sole critical flaw (CVE-2019-7843) has been noted for its potential to allow execution of commands on Windows and Linux systems via unauthorized arbitrary code execution.
At this time, Adobe has not identified any active exploitation of these vulnerabilities in the wild, though organizations are strongly advised to prioritize the installation of updated versions of the affected products. This proactive step is crucial for safeguarding against potential cyber threats and vulnerabilities.
For a comprehensive understanding of the vulnerabilities and their implications, organizations can refer to the MITRE ATT&CK framework, which provides a structured approach to categorizing the tactics and techniques associated with these vulnerabilities, including initial access, persistence, and privilege escalation among others.
As the cybersecurity landscape continues to evolve, awareness and prompt responsiveness to such updates remain essential for ensuring the integrity and security of organizational infrastructures.