Just last week, Adobe released their security updates (APSB17-30) for ColdFusion 2016 and ColdFusion 11. The said update was specifically created to fix two critical and one important issue. However, take note that the ColdFusion 10 and older will be vulnerable to some if not all of the issues. Plus, since the older versions began to become obsolete, there won’t be any additional patches provided.
Adobe also stated that the fixes will be effective only when running the Java 1.8 update 121 or higher (Java 1.7 update 131 or higher but Java 7 is also EOL, which means you need to be running 1.8 if you use CF11+).
Because of the vulnerability of CVE-2017-11286, it is categorized as Improper Restriction of XML External Entity Reference. This can trigger the possibility of XML External Injection that will allow attackers to have access to resources via commands to the XML parser.
The second vulnerability of CVE-2017-11283 and CVE-2017-11284 is that Adobe described it as an “unsafe Java deserialization that could result in remote code execution”. Until now it is unclear if that would affect the use of the serialize() / deserialize () functions or if it will have broader issues.