Adobe releases emergency updates: Patch Tuesday - Week 1, March 2019

Adobe

Adobe has released an emergency update for its ColdFusion platform to resolve a serious zero-day vulnerability. The update fixes a flaw that could have led to RCE attacks using a ColdFusion service. Designated as CVE-2019-7816, Adobe has categorized the vulnerability as ‘file upload restriction bypass’ which means that it allowed unrestricted access to servers to execute malicious codes.

The following are the affected products and versions issued with the update(s):

• ColdFusion 2018 - Update 2 and earlier versions
• ColdFusion 2016 - Update 9 and earlier versions
• ColdFusion 11 - Update 11 and earlier versions

Updates can be found here.

Google

Google has released security patches this month for its Android platform. In its bulletin, the company announced two security patch ‘levels’ labeled as 2019-03-01 and 2019-03-05. This is to resolve issues timely across all devices with similar vulnerabilities. The most serious vulnerability addressed in the bulletin is an RCE flaw which allowed malicious files to perform arbitrary code execution in Android devices.

Users with the most recent Android devices (version 7.0 & later) are expected to receive updates soon. The following is a brief description of the two updates:

• 2019-03-01 security patch level: This is segregated into three sections -- Framework, Media Framework, and System. A total of 27 vulnerabilities are addressed out of which 17 were present in the System. Critical vulnerabilities included escalation of privileges and RCE.
• 2019-03-05 security patch level: This is segregated into four sections -- System, Kernel components, Qualcomm components, and Qualcomm closed-source components. A total of 15 vulnerabilities are addressed among which 5 were from closed-source components. Again, critical vulnerabilities were mainly RCE and escalation of privileges.

Microsoft

Microsoft released a batch update to address multiple issues in Windows 10 and Windows Server 2019. The KB4482887 release mainly enables Retpoline on certain devices, a coding implementation created by Google to bring down Spectre V2 vulnerability. Apart from this, the update resolves several bugs associated with hardware.

Microsoft has recommended users to install the latest servicing stack update (SSU) before installing this update.

The updates can be found here.

Ubuntu

For this week, Ubuntu has released three security bulletins to address kernel vulnerabilities, as well as a flaw associated with OpenSSH. The following are the releases:

• USN-3901-2: Linux kernel (HWE) vulnerabilities: This update fixes this issue existing in Linux Hardware Enablement (HWE) kernel in Ubuntu 16.04 LTS & Ubuntu 14.04 LTS. Linux kernels for AWS, Microsoft Azure, Google Cloud, and Oracle Cloud, were containing improperly restricting access to specific IOCTLS.
• USN-3901-1: Linux kernel vulnerabilities: This update fixes a similar issue mentioned earlier, except it is evident in Raspberry Pi 2 and other OEM processors. Linux kernels in Ubuntu 18.04 LTS are patched.
• USN-3885-2: OpenSSH vulnerability: A previous update USN-3885-1 had not fully rectified an OpenSSH problem, which is taken care by this update. It is applicable for systems running Ubuntu 18.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS & Ubuntu 14.04 LTS.