ColdFusion FlashGateway Deserialization RCE CVE-2019-7091
Description
Adobe ColdFusion versions prior to the patched releases contain a critical deserialization vulnerability in the FlashGateway component (CVE-2019-7091). This vulnerability allows unauthenticated attackers to send maliciously crafted serialized Java objects to the server, which are processed without proper validation. Successful exploitation enables arbitrary code execution with the privileges of the ColdFusion application server.
Remediation
Apply the security patches immediately as outlined in Adobe Security Bulletin APSB19-10:
1. Identify affected versions: ColdFusion 2016 Update 10 and earlier, ColdFusion 2018 Update 3 and earlier, and ColdFusion 11 Update 17 and earlier are vulnerable.
2. Apply patches: Update to ColdFusion 2016 Update 11, ColdFusion 2018 Update 4, or ColdFusion 11 Update 18 or later versions.
3. Temporary mitigation: If immediate patching is not possible, disable the FlashGateway component if it is not required for business operations, or restrict network access to the affected endpoints using firewall rules or web application firewall (WAF) policies.
4. Verify remediation: After patching, conduct vulnerability scanning to confirm the issue is resolved and review logs for any signs of prior exploitation.