“This hotfix,” said Adobe, “addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.”
Charlie Arehart, an independent ColdFusion consultant, was one ColdFusion customer ‘hit’ by an exploit. “I found that I too had been hit,” he blogged on January 2. “The upshot is that a file is put on your server which gives a hacker pretty much unfettered access to a lot of things including reading/downloading/uploading/renaming and creating files, accessing datasource information, and more. The file to look for is called h.cfm and is placed in the CFIDE directory (at least in the current rendition of the hack, which may very likely change when the hacker learns that it's being publicized.)”
The Adobe fix now repairs two authentication bypass vulnerabilities (CVE 2013-0625 and CVE-201-0632), a directory traversal (CVE-2013-0629) and a data leakage vulnerability (CVE-2013-0631) in ColdFusion 9 and upwards. The Adobe ColdFusion Blog said, “Adobe recommends users update their product installation with this update,” but Arehart quickly pointed to a problem for version 9.0.2: the update instructions were wrong.
Adobe has now corrected its technote, and the correct instructions for 9.0.2 users can also be found in the ColdFusion blog comments.
The bottom line is that these vulnerabilities are being exploited in ColdFusion versions 9, 9.0.1, 9,0,2 and 10; and the hotfix should be applied as soon as possible. Earlier versions are no longer supported by Adobe, and should not be used.