I. Overview

Adobe has officially disclosed the ColdFusion remote code execution vulnerability (CVE-2021-21087). In certain ColdFusion versions, attacks can exploit input verification defects to remotely execute code.

Adobe ColdFusion is a commercial rapid web-application development computing platform. If you are an Adobe ColdFusion user, check your service version and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Adobe ColdFusion 2021: Version 2021.0.0.323925 and earlier

Adobe ColdFusion 2018: Version Update 10 and earlier

Adobe ColdFusion 2016: Version Update 16 and earlier

Secure versions:

Adobe ColdFusion 2021 Update 1

Adobe ColdFusion 2018 Update 11

Adobe ColdFusion 2016 Update 17

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

Adobe ColdFusion 2021 Update 1

Adobe ColdFusion 2018 Update 11

Adobe ColdFusion 2016 Update 17

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.