September 9, 2016

Posted in:

ColdFusion Security Patch APSB16-30 / CVE-2016-4264

On August 30, 2016, Adobe released a Abobe Security Bulletin on vulnerability APSB16-30 / CVE-2016-4264. While there is no information in CVE-2016-4264 as of this writing, we would expect that this be updated shortly.

What is the vulnerability?

The vulnerability, if exploited, can lead to information disclosure. The actual information disclosed has not been identified as of yet. Typically Adobe does not release further details on this until customers have had adequate time to patch their systems.

What software is affected?

ColdFusion versions 10 and 11 are affected.

What about ColdFusion 9 and below?

ColdFusion 10 and 11 are the latest supported versions of the software. End of core support on ColdFusion 10 and 11 ends on May 16, 2017 and April 30, 2019 respectively. ColdFusion End of Life Support for an End of Life matrix on what versions of ColdFusion are still supported. ColdFusion 9 and below are considered end of life. If a server is running any version that is end of life, it is recommended to upgrade to a supported version.

What steps do I need to take as a developer?

As a developer and as a general rule, you should be OK with patching any hotfixes. Cumulative updates are a different story, however, as those will roll up multiple updates into one single package. Since this is a cumulative update, it is recommended to check the release notes for the update to determine what has changed. The release notes for this update are:

ColdFusion 10 Update 21 Release Notes

ColdFusion 11 Update 10 Release Notes

As always, we recommend checking the APSB16-30 Release Notes before proceeding and ensuring there’s a good backup plan in place.

Should my server be patched?

If your server is running ColdFusion 10 or 11 which are affected by APSB16-30 / CVE-2016-4264, we would recommend patching. Please see our KB article on How to Patch ColdFusion 10 and Above. It is also recommended to follow the ColdFusion Lockdown Guides to further secure the software: ColdFusion 2016 Lockdown Guide |ColdFusion 11 Lockdown Guide | ColdFusion 10 Lockdown Guide.

Who should I contact if I need further assistance on the issue?

As always, Edge stands by ready to assist you if you run into problems or have questions. Please reach out to us through a ticket via the customer support portal or by calling 866.334.3932 Option 2.

Go back