www.belgium.be Logo of the federal government

WARNING: ADOBE RELEASED AN EMERGENCY COLDFUSION SECURITY UPDATE MEANT TO FIX THREE VULNERABILITIES, INCLUDING A CRITICAL REMOTE CODE EXECUTION

Référence: 
Advisory #2023-84
Version: 
1.0
Logiciels concernés : 
ColdFusion 2023 - Update 2 and earlier versions
ColdFusion 2021 - Update 8 and earlier versions
ColdFusion 2018 - Update 18 and earlier versions
Type: 
Remote code execution and security feature bypass
CVE/CVSS: 

CVE-2023-38204 / CVSS 3.1 score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-38205 / CVSS 3.1 score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE-2023-38206 / CVSS 3.1 score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Date: 
20/07/2023

Sources

https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html

Risques

The vulnerabilities, if exploited, could allow an unauthenticated attacker to execute arbitrary code or to bypass security features.

CVE-2023-38204 is the most critical flaw patched, as it is a remote code execution vulnerability, but was not yet exploited in the wild. An attacker could exploit the vulnerability to elevate privileges or to gain control over the affected system. The exploitation of the vulnerability would highly impact the Confidentiality, Integrity and Availability of the affected systems.

On the other hand, Adobe confirmed being aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion clients. The exploitation of this flaw would have a high impact only on the Confidentiality of the targeted system.

Description

  • CVE-2023-38204 (Deserialization of Untrusted Data) could lead to execution of arbitrary code by an adversary who will thus have the ability to run any commands or code on a target system.  The vulnerability has a CVSS score of 9.8 and was classified as “critical”.
  • CVE-2023-38205 (Improper Access Control) could lead to security features bypass if exploited. The flaw is a patch bypass for the fix for CVE-2023-29298, another ColdFusion authentication bypass published earlier, on the 11th of July. It was discovered and disclosed to Adobe that the patch for the CVE-2023-29298 vulnerability could be bypassed so Adobe releases a new fix as CVE-2023-38205 patch.
    The vulnerability has a CVSS score of 7.5 and was classified as “critical”.
  • CVE-2023-38206 (Improper Access Control) could also lead to security features bypass if exploited, but, as the impact on the affected systems will be a lower one, it was scored 5.3 and classified as “moderate”.

Actions recommandées

To address these vulnerabilities, Adobe advises users to urgently update as follows:

Product

Update number

Platform

ColdFusion 2023

Update 3

All

ColdFusion 2021

Update 9

All

ColdFusion 2018

Update 19

All

 

Adobe also recommends updating the ColdFusion JDK/JRE LTS version to the latest update release, as applying the ColdFusion update without a corresponding JDK update will NOT secure the server.

Customers are also advised to apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.   

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Références

https://www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion-access-control-bypass-fixed/

https://helpx.adobe.com/pdf/coldfusion2023-suport-matrix.pdf

https://helpx.adobe.com/pdf/coldfusion2021-support-matrix.pdf

https://helpx.adobe.com/pdf/coldfusion2018-support-matrix.pdf

https://www.securityweek.com/adobe-releases-new-patches-for-exploited-coldfusion-vulnerabilities/