Adobe has released new updates for both Coldfusion 10 and Coldfusion 11.
According to Adobe: “This hotfix resolves two input validation issues that could be used in reflected cross-site scripting attacks. This hotfix also includes an updated version of BlazeDS that resolves an important Server-side request forgery vulnerability”
This hotfix also updates the version of Tomcat that is bundled with ColdFusion, which addresses a Security Manager bypass CVE-2014-7810, a Request Smuggling issue CVE-2014-0227 and a Denial of Service issue CVE-2014-0230
This hotfix includes both security fixes and bug fixes, you can see a detailed list of bugs that were fixed in link to the release notes below.
Updated web server connectors are also included in this hotfix, running the hotfix installer does not update web server connectors, you need to do this manually by running wsconfig.
If you are running CF9 and below you may also be vulnerable to these issues (especially the BlazeDS issue) but Adobe no longer supports CF9 and below. If you are running Railo or Lucee you may also be vulnerable to the BlazeDS issue if you have that installed and configured.
Oracle has also released a security update for Java
This update addresses 25 vulnerabilities of which 5 have the potential
to be exploited in server side java deployments. Oracle has released Java 8 update 65 to address these vulnerabilities, they have also released Java 8 update 66 which includes both
the security fixes and some new bug fixes. You can find a listing of bugs fixed in each update here
If you have any questions, please submit a support request