Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: ADOBE RELEASED AN EMERGENCY COLDFUSION SECURITY UPDATE MEANT TO FIX THREE VULNERABILITIES, INCLUDING A CRITICAL REMOTE CODE EXECUTION
Image
Published : 20/07/2023
Reference:
Advisory #2023-84
Version:
1.0
Affected software:
ColdFusion 2018 - Update 18 and earlier versions
ColdFusion 2021 - Update 8 and earlier versions
ColdFusion 2023 - Update 2 and earlier versions
Type:
Remote code execution and security feature bypass
CVE/CVSS:
CVE-2023-38204 / CVSS 3.1 score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-38205 / CVSS 3.1 score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE-2023-38206 / CVSS 3.1 score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Sources
https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html
Risks
The vulnerabilities, if exploited, could allow an unauthenticated attacker to execute arbitrary code or to bypass security features.
CVE-2023-38204 is the most critical flaw patched, as it is a remote code execution vulnerability, but was not yet exploited in the wild. An attacker could exploit the vulnerability to elevate privileges or to gain control over the affected system. The exploitation of the vulnerability would highly impact the Confidentiality, Integrity and Availability of the affected systems.
On the other hand, Adobe confirmed being aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion clients. The exploitation of this flaw would have a high impact only on the Confidentiality of the targeted system.
Description
- CVE-2023-38204 (Deserialization of Untrusted Data) could lead to execution of arbitrary code by an adversary who will thus have the ability to run any commands or code on a target system. The vulnerability has a CVSS score of 9.8 and was classified as “critical”.
- CVE-2023-38205 (Improper Access Control) could lead to security features bypass if exploited. The flaw is a patch bypass for the fix for CVE-2023-29298, another ColdFusion authentication bypass published earlier, on the 11th of July. It was discovered and disclosed to Adobe that the patch for the CVE-2023-29298 vulnerability could be bypassed so Adobe releases a new fix as CVE-2023-38205 patch.
The vulnerability has a CVSS score of 7.5 and was classified as “critical”. - CVE-2023-38206 (Improper Access Control) could also lead to security features bypass if exploited, but, as the impact on the affected systems will be a lower one, it was scored 5.3 and classified as “moderate”.
Recommended Actions
To address these vulnerabilities, Adobe advises users to urgently update as follows:
Product | Update number | Platform |
ColdFusion 2023 | Update 3 | All |
ColdFusion 2021 | Update 9 | All |
ColdFusion 2018 | Update 19 | All |
Adobe also recommends updating the ColdFusion JDK/JRE LTS version to the latest update release, as applying the ColdFusion update without a corresponding JDK update will NOT secure the server.
Customers are also advised to apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
References
https://helpx.adobe.com/pdf/coldfusion2023-suport-matrix.pdf
https://helpx.adobe.com/pdf/coldfusion2021-support-matrix.pdf
https://helpx.adobe.com/pdf/coldfusion2018-support-matrix.pdf
https://www.securityweek.com/adobe-releases-new-patches-for-exploited-coldfusion-vulnerabilities/