Adobe has released September 2018 security patch updates for a total of 10 vulnerabilities in Flash Player and ColdFusion, six of which are rated as critical that affected ColdFusion and could allow attackers to remotely execute arbitrary code on a vulnerable server.
What’s the good news this month for Adobe users?
This month Adobe Acrobat and Reader applications did not receive any patch update, while Adobe Flash Player has received an update for just a single privilege escalation vulnerability (CVE-2018-15967) rated as important.
Secondly, Adobe said none of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild.
Total 9 Security Patches for Adobe ColdFusion
Adobe has addressed a total of nine security vulnerabilities in its ColdFusion web application development platform, six of which are critical, two important and one moderate.
According to the advisory released by Adobe, ColdFusion contained four critical deserialization of untrusted data vulnerabilities (CVE-2018-15965, CVE-2018-15957, CVE-2018-15958, CVE-2018-15959) that could result in arbitrary code execution.
Out of the remaining two critical vulnerabilities addressed in ColdFusion, one is unrestricted file upload flaw (CVE-2018-15961) that could lead to arbitrary code execution, and the other (CVE-2018-15960) could enable arbitrary file overwrite.
The company has also released patches for two “important” security vulnerabilities in ColdFusion–security bypass glitch (CVE-2018-15963) that allows arbitrary folder creation, and directory listing flaw (CVE-2018-15962) that could enable information disclosure–and a moderate information disclosure bug (CVE-2018-15964).
The vulnerabilities impact 2016 (Update 6 and earlier versions) and the July 12 (2018) release of ColdFusion, along with ColdFusion 11 (Update 14 and earlier versions).
Adobe recommends end users and administrators to update their installations to ColdFusion 2018 Update 1, ColdFusion 2016 Update 7, and ColdFusion 11 Update 15.
Adobe Also Patches An important Flaw In Flash Player
Besides ColdFusion, Adobe also released a security update for Flash Player for Windows, macOS, Linux, and Chrome OS, addressing an “important” flaw in all for versions 184.108.40.206 and earlier for Google Chrome, Desktop Runtime, Microsoft Edge and Internet Explorer 11.
The issue is a privilege escalation vulnerability (CVE-2018-15967) that could lead to information disclosure. The company recommends Flash Player users to update to version 220.127.116.11 as soon as possible.