Today Adobe released security updates for Flash Player and ColdFusion as part of their September 2018 monthly patch Tuesday. These updates fix numerous information disclosure vulnerabilities and critical vulnerabilities in ColdFusion that could allow attackers to remotely execute commands on a vulnerable server.

Users of affected products are strongly advised to update them to the latest versions.

Adobe's August 2018 Updates

APSB18-31 Security updates available for Adobe Flash Player

Adobe has released a security update for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. This update addresses an information disclosure vulnerability in Adobe Flash Player 30.0.0.154 and earlier versions that was reported by Microsoft’s Security Response Center

After this update is installed, Adobe Flash Player will be at version 31.0.0.108. It does not appear that this vulnerability was being actively used in the wild.

Vulnerability Category Vulnerability Impact Severity CVE Number
Privilege Escalation Information Disclosure Important CVE-2018-15967

APSB18-33 Security update available for Adobe ColdFusion

Adobe has released a security update for ColdFusion versions 2018, 2016 and 11 that fixes numerous vulnerabilities, including five critical ones that could allow the execution of code on the server by a remote attacker and another that could allow files to be overwritten.

Also patched are two information disclosure vulnerabilities and one that could allow for the creation of folders. It is not know if these vulnerabilities have been actively used in attacks.

As part of this security bulletin, Adobe recommends that all ColdFusion customers follow the lockdown guides for their respective versions of ColdFusion as described below.

Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Deserialization of untrusted data Arbitrary code execution Critical

CVE-2018-15965 

CVE-2018-15957 

CVE-2018-15958

CVE-2018-15959

Use of a component with a known vulnerability Information Disclosure Moderate CVE-2018-15964
Security bypass Arbitrary folder creation Important CVE-2018-15963
Directory listing Information Disclosure Important CVE-2018-15962
Unrestricted file upload  Arbitrary code execution Critical CVE-2018-15961
Use of a component with a known vulnerability Arbitrary file overwrite Critical CVE-2018-15960

Related Articles:

Adobe Releases Security Update for Acrobat Vulnerability with Public PoC

Microsoft October 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities

Adobe Releases October 2018 Security Updates. None for Flash Player!

Adobe Releases Security Updates for Acrobat that Fix 86 Vulnerabilities

Critical Security Update Released for Adobe Reader and Acrobat