Today Adobe released security updates for Flash Player and ColdFusion as part of their September 2018 monthly patch Tuesday. These updates fix numerous information disclosure vulnerabilities and critical vulnerabilities in ColdFusion that could allow attackers to remotely execute commands on a vulnerable server.

Users of affected products are strongly advised to update them to the latest versions.

Adobe's August 2018 Updates

APSB18-31 Security updates available for Adobe Flash Player

Adobe has released a security update for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. This update addresses an information disclosure vulnerability in Adobe Flash Player 30.0.0.154 and earlier versions that was reported by Microsoft’s Security Response Center

After this update is installed, Adobe Flash Player will be at version 31.0.0.108. It does not appear that this vulnerability was being actively used in the wild.

Vulnerability Category Vulnerability Impact Severity CVE Number
Privilege Escalation Information Disclosure Important CVE-2018-15967

APSB18-33 Security update available for Adobe ColdFusion

Adobe has released a security update for ColdFusion versions 2018, 2016 and 11 that fixes numerous vulnerabilities, including five critical ones that could allow the execution of code on the server by a remote attacker and another that could allow files to be overwritten.

Also patched are two information disclosure vulnerabilities and one that could allow for the creation of folders. It is not know if these vulnerabilities have been actively used in attacks.

As part of this security bulletin, Adobe recommends that all ColdFusion customers follow the lockdown guides for their respective versions of ColdFusion as described below.

Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Deserialization of untrusted data Arbitrary code execution Critical

CVE-2018-15965 

CVE-2018-15957 

CVE-2018-15958

CVE-2018-15959

Use of a component with a known vulnerability Information Disclosure Moderate CVE-2018-15964
Security bypass Arbitrary folder creation Important CVE-2018-15963
Directory listing Information Disclosure Important CVE-2018-15962
Unrestricted file upload  Arbitrary code execution Critical CVE-2018-15961
Use of a component with a known vulnerability Arbitrary file overwrite Critical CVE-2018-15960

Related Articles:

Adobe Patches Flash Player, Acrobat, Reader, Creative Cloud Desktop App, More

Microsoft September 2018 Patch Tuesday Fixes 16 Critical Vulnerabilities

Microsoft August 2018 Patch Tuesday Fixes 60 Security Flaws, Including Two Zero-Days

Senator Asks US Government to Remove Flash From Federal Sites, Computers

iOS 12 Patches Memory Bugs, Safari 12 Fixes Data Leaks