Two vulnerabilities in Adobe ColdFusion are exploited in real-world attacks, the Cybersecurity & Infrastructure Security Agency (CISA) warns. Both issues are related to the possibility of arbitrary code execution, caused by poor validation of deserialized data. Adobe released patches for both of these vulnerabilities back in mid-July 2023, when they were originally detected.
ColdFusion ACE Vulnerabilities Exploited in Real-World Attacks
On January 8, CISA released their regular notice on new exploited vulnerabilities, specifying among others 2 security breaches in Adobe ColdFusion. Both of them are dated summer 2023, with the patches being available at around the same time. Nonetheless, the organization states about the exploitation, which is not doubtful considering the trends. And as both vulnerabilities score the CVSS rating of 9.8, the very fact of its usage in cyberattacks is concerning.
As I said in the introduction, both CVE-2023-29300 and CVE-2023-38203 are about the poor data validation upon deserialization that leads to the arbitrary code execution (ACE). Interestingly enough, both of them touch the same string versions of ColdFusion – 2018, 2021 and 2023. By sending a specifically crafted data package, targeted on the vulnerable ColdFusion server, adversaries can make the server execute the code they need. No user interaction is needed for this trick, which increases the severity of the vulnerability even more.
Arbitrary code execution vulnerabilities may serve as both initial access points and opportunities for lateral movement. The fact that this particular vulnerability works as is, without the need for user input, makes the exploitation just a piece of cake. And since ColdFusion is a rather popular app server solution, it is not hard to reach something important after compromising it, not to mention how easy it is to find a victim.
List of Affected ColdFusion Versions
| Vulnearbility | Affected ColdFusion versions |
|---|---|
| CVE-2023-29300 CVE-2023-38203 |
ColdFusion 2018, 2021, 2023 |
Adobe ColdFusion Vulnerability Patches & Mitigation
Upon uncovering the vulnerabilities back in June 2023, Adobe released the updates1 2 which have these issues fixed. The company insisted on users to install these patches as soon as possible. And well, it cannot be a better moment to update than right now, after the official notification regarding the exploitation. Here is the list of ColdFusion versions that are no longer vulnerable to the said exploits:
| Version | Fixed in |
|---|---|
| ColdFusion 2023 | Update 1 |
| ColdFusion 2021 | Update 7 |
| ColdFusion 2018 | Update 17 |
At the same time, no workarounds or mitigations are available. This was expected though, as the nature of these vulnerabilities does not suppose the ability to fix it without the intrusion into the program code. In fact, there was over half a year of time to update, so applying any makeshift fixes now is irrational in any case.
Still, there is the ability to preventively protect the network from any kind of intrusion. By using Network Detection and Response (NDR) solutions, you make it much less likely that illicit traffic will reach your servers. By combining this with all-encompassing protective solutions, like Extended Detection and Response (XDR), you will receive a reliable shield against known threats, as well as ones that are only to be discovered.
- Adobe Security Bulletin regarding CVE-2023-29300.
- Adobe Security Bulletin regarding CVE-2023-38203.
