14 DAY TRIAL // In addition to patches for Flash Player, Shockwave Player, Reader and Acrobat, Adobe also released security updates for its LiveCycle Data Services, LiveCycle ES, BlazeDS and ColdFusion products this week.
As far as ColdFusion is concerned, two vulnerabilities rated as "important" have been patched by the newly released hotfixes for versions 9.0.1, 9.0, 8.0.1 and 8.0.
One of the flaws, identified as CVE-2011-0629, was reported by Sow Ching Shiong via vulnerability research vendor Secunia and can be exploited to execute cross-site request forgery (CSRF) attacks.
The second vulnerability fixed, CVE-2011-2091, can lead to a denial-of-service condition and was discovered by Pete Freitag of Foundeo.
Adobe says the hotfixes need to be applied for each version individually. For example, if the fix for ColdFusion 9.0 was deployed and the installation is updated to 9.0.1 at a later time, the patch for 9.0.1 must also be applied.
Two flaws were identified in LiveCycle Data Services, LiveCycle ES and BlazeDS. Both of them are credited to Belgian security researcher Wouter Coekaerts.
One (CVE-2011-2092) allows unrestricted class creation during AMF/AMFX deserialization, while the other (CVE-2011-2093) is a DoS issue in the object graph.
Individual patches have been released for LiveCycle Data Services 3.1, 3.0, 2.6.1, 2.6.0, 2.5.1, 2.5, Flex Data Services 2.0.1, LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3, and BlazeDS 4.0.1. The patches need to be deployed manually and instructions for each of them are provided in the Adobe security bulletin.
Of course, people are also strongly encouraged to install the other updates Adobe released on Tuesday, such as those for Adobe Reader and Acrobat, Flash Player and Shockwave Player.