====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN183
_____________________________________________________________________

DATE                : 26/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Adobe ColdFusion versions prior to
                      2016 Update 17, 2018 Update 11, 2021 Update 1.

=====================================================================
https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html
_____________________________________________________________________

Security updates available for Adobe ColdFusion | APSB21-16
Bulletin ID 	Date Published 	Priority
APSB21-16 	March 22, 2021 	2


Summary

Adobe has released security updates for ColdFusion versions 2021, 2016
and 2018. These updates resolve a  vulnerability rated moderate that
could lead to arbitrary code execution. 


Affected Versions

Product 	Update number 	Platform

ColdFusion 2016   Update 16 and earlier version   	All
ColdFusion 2018   Update 10 and earlier versions   	All
ColdFusion 2021   Version 2021.0.0.323925               All


Solution

Adobe categorizes these updates with the following priority rating and
recommends users update their installations to the newest versions:

Product 	Updated Version   Platform    Priority rating 	Availability

ColdFusion 2016  Update 17   	All 	2 	Tech note
ColdFusion 2018  Update 11 	All 	2 	Tech note
ColdFusion 2021  Update 1	All 	2 	Tech note

Note:

Adobe recommends updating your ColdFusion JDK/JRE to the latest version
of the LTS releases for 1.8 and JDK 11. Applying the ColdFusion update
without a corresponding JDK update will NOT secure the server.  See the
relevant Tech Notes for more details.

Adobe  also recommends customers apply the security configuration
settings as outlined on the ColdFusion Security page as well as review
the respective Lockdown guides.   

    ColdFusion 2018 Auto-Lockdown guide
    ColdFusion 2016 Lockdown Guide
    ColdFusion 2021 Lockdown Guide


Vulnerability Details

Vulnerability Category 	Vulnerability Impact   Severity    CVE Numbers
Improper Input Validation 	Arbitrary Code Execution   Moderate 	
CVE-2021-21087


Acknowledgements

Adobe would like to thank Josh Lane for reporting the relevant issues
and for working with Adobe to help protect our customers.


ColdFusion JDK Requirement

COLDFUSION 2018 HF1 and above  

For Application Servers  

On JEE installations, set the following JVM flag, "-Djdk.serialFilter=
!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**",
in the respective startup file depending on the type of Application
Server being used.  

For example:  

Apache Tomcat Application Server: edit JAVA_OPTS in the
‘Catalina.bat/sh’ file  

WebLogic Application Server:  edit JAVA_OPTIONS in the
‘startWeblogic.cmd’ file  

WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’
file  

Set the JVM flags on a JEE installation of ColdFusion, not on a
standalone installation.  

COLDFUSION 2016 HF7 and above

This security update requires ColdFusion to be on JDK 8u121 or higher.
Adobe recommends that you must manually update your ColdFusion JDK/JRE
to the latest version. In case you do not update the JDK/JRE, simply
applying the update would NOT secure the server.

For Application Servers

Additionally, on JEE installations, set the following JVM flag,
"-Djdk.serialFilter=
!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**",
in the respective startup file depending on the type of Application
Server being used.

For example:

On Apache Tomcat Application Server, edit JAVA_OPTS in the
‘Catalina.bat/sh’ file

On WebLogic Application Server, edit JAVA_OPTIONS in the
‘startWeblogic.cmd’ file

On a WildFly/EAP Application Server, edit JAVA_OPTS in the
‘standalone.conf’ file

Set the JVM flags on a JEE installation of ColdFusion, not on a
standalone installation


Adobe Disclaimer


License agreement

By using software of Adobe Incorporated or its subsidiaries ("Adobe");
you agree to the following terms and conditions. If you do not agree
with such terms and conditions; do not use the software. The terms of an
end user license agreement accompanying a particular software file upon
installation or download of the software shall supersede the terms
presented below.

The export and re-export of Adobe software products are controlled by
the United States Export Administration Regulations and such software
may not be exported or re-exported to Cuba; Iran; North Korea; Syria and
the Crimea region of Ukraine, or any country to which the United States
embargoes goods. In addition; Adobe software may not be distributed to
persons on the Table of Denial Orders; the Entity List; or the List of
Specially Designated Nationals.

By downloading or using an Adobe software product you are certifying
that you are not a national of Cuba; Iran; North Korea; Syria, and the
Crimea region of Ukraine, or any country to which the United States
embargoes goods and that you are not a person on the Table of Denial
Orders; the Entity List; or the List of Specially Designated Nationals.
If the software is designed for use with an application software product
(the "Host Application") published by Adobe; Adobe grants you a non-
exclusive license to use such software with the Host Application only;
provided you possess a valid license from Adobe for the Host
Application. Except as set forth below; such software is licensed to you
subject to the terms and conditions of the End User License Agreement
from Adobe governing your use of the Host Application.

DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS
WARRANTIES TO YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING
PROVIDED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS
ALL WARRANTIES WITH REGARD TO THE SOFTWARE; EXPRESS OR IMPLIED;
INCLUDING; WITHOUT LIMITATION; ANY IMPLIED WARRANTIES OF FITNESS FOR A
PARTICULAR PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR
NONINFRINGEMENT OF THIRD PARTY RIGHTS. Some states or jurisdictions do
not allow the exclusion of implied warranties; so the above limitations
may not apply to you.

LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS
OF USE; INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL;
INCIDENTAL; OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST
PROFITS) REGARDLESS OF THE FORM OF ACTION WHETHER IN CONTRACT; TORT
(INCLUDING NEGLIGENCE); STRICT PRODUCT LIABILITY OR OTHERWISE; EVEN IF
ADOBE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some states
or jurisdictions do not allow the exclusion or limitation of incidental
or consequential damages; so the above limitation or exclusion may not
apply to you.


Revisions

March 26, 2021: Updated Severity rating for CVE-2021-21087.

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================