Adobe Patch Tuesday security updates for June 2019 address some critical arbitrary code execution vulnerabilities in Flash Player, ColdFusion and Campaign products.
Adobe fixed critical command injection, file extension blacklist bypass and
|Vulnerability Category||Vulnerability Impact||Severity||CVE Numbers|
|File extension blacklist bypass||Arbitrary code execution||Critical (see note below)||CVE-2019-7838|
|Command Injection||Arbitrary code execution||Critical (see note below)||CVE-2019-7839|
|Deserialization of untrusted data||Arbitrary code execution||Critical (see note below)||CVE-2019-7840|
The issues affect ColdFusion 2016, 2018 and 11.
Adobe credited Badcode of Knownsec 404 Team, Moritz Bechler of SySS GmbH, and Brenden Meeder of Booz Allen Hamilton for reporting the flaw.
Adobe also informed users that remote access to the Adobe LiveCycle Data Management feature has been disabled by default due to security risks.
Adobe Patch Tuesday security updates for June 2019 also address a critical use-after-free vulnerability (CVE-2019-7845) that could lead to arbitrary code execution. The flaw was anonymously reported via Trend Micro’s Zero Day Initiative.
“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical vulnerability in Adobe Flash Player.” reads the security advisory. “Successful exploitation could lead to arbitrary code execution in the context of the current user. ”
Finally, Adobe addressed seven types of vulnerabilities in its Campaign product, including information disclosure, arbitrary file read, and code execution issues. The most severe vulnerability, tracked as CVE-2019-7850, is a critical command injection issue that could lead to arbitrary code execution.