Skip to main content

Adobe Updates Fix Critical Vulnerabilities in ColdFusion, Campaign, and Flash Player

by Chris Brook on Tuesday June 11, 2019

Contact Us
Free Demo

Adobe is urging users to patch 10 vulnerabilities, five of them critical, in three different products this week.

As it customarily does on the second Tuesday of each month, Adobe urged users to patch several vulnerabilities – 10 total, some of them critical - in its software line this week.

The company pushed updates on Tuesday morning for ColdFusion - its rapid development platform for building modern web applications, Campaign - its marketing campaign platform, and – of course – its ubiquitous, near-death Flash Player.

Each of the updates address at least one critical vulnerability.

The ColdFusion update resolves three vulnerabilities, including a file extension blacklist bypass that can be exploited if the file uploads directory is web accessible, a command injection vulnerability, and a deserialization of untrusted data vulnerability, that could all lead to arbitrary code execution. The updates affect ColdFusion 2018, ColdFusion 2016, and ColdFusion 11, released in 2014.

The Campaign update actually addresses seven vulnerabilities but only one of them is branded critical, a command injection vulnerability - CVE-2019-7850, as it can lead to arbitrary code execution. The rest of the fixes resolve a mix of moderate to important issues like improper error handling, inadequate access control, and an information disclosure issue stemming from insufficient input validation.

The Campaign update affects Campaign Classic versions 18.10.5-8984 and earlier; it brings the software to versions 19.1.1-9026 on Windows and Linux.

Lastly, the Flash Player update addresses just one issue but it’s a critical use after free vulnerability that, like the others patched on Tuesday, could lead to arbitrary code execution if exploited. Little is known about the vulnerability (CVE-2019-7845) outside of the fact that it was anonymously reported via Trend Micro’s Zero Day Initiative.

The vulnerability impacts versions and earlier of Adobe Flash Player Desktop Runtime (for Windows, macOS and Linux), Adobe Flash Player for Google Chrome (for Windows, macOS, Linux and Chrome OS) and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (for Windows 10 and 8.1). Users are being urged to update to version to mitigate the vulnerability.

The updates are likely a welcome reprieve for admins following last months' massive update that saw Adobe fix 87 vulnerabilities across three families of programs including Acrobat and Reader, Flash Player, and Media Encoder.

Per usual, Microsoft also pushed updates on Tuesday, fixing 88 vulnerabilities across a dozen plus products, including Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Skype for Business and Microsoft Lync, Exchange Server, Azure, and SQL Server.

Tags:  Vulnerabilities

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.