Vulnerability Overview
Recently, NSFOCUS CERT monitored that Adobe has officially released security notices and fixed multiple Adobe ColdFusion vulnerabilities. Please take protective measures as soon as possible. Key vulnerabilities are as follows:
Adobe ColdFusion deserialization vulnerability (CVE-2023-26359):
Due to a flaw in Adobe ColdFusion’s deserialization security check, unauthenticated remote attackers can conduct deserialization attacks by constructing malicious data packets, which can ultimately enable the execution of arbitrary code on the target system, with a CVSS score of 9.8.
Adobe ColdFusion Improper Access Control Vulnerability (CVE-2023-26360):
Due to a flaw in Adobe ColdFusion that improperly controls resource access, unauthenticated attackers can exploit this vulnerability to achieve arbitrary code execution on the target system without user interaction. Currently, it has been detected that this vulnerability is being exploited in the wild, with a CVSS score of 8.6.
Adobe ColdFusion is a server side programming language and development platform for building dynamic Web applications. It is developed and maintained by Adobe Systems and uses a Java Virtual Machine (JVM) as its runtime environment. ColdFusion supports multiple programming languages, including CFML (ColdFusion Markup Language), JavaScript, Java,. NET, and other Web technologies such as HTML, CSS, and SQL.
Reference link: https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html
Scope of Impact
Affected version
External Version:
- Adobe ColdFusion 2021 <= 2021 Update 5
- Adobe ColdFusion 2018 <= 2018 Update 15
Internal Version:
- Adobe ColdFusion 2021 < 2021.0.06.330132
- Adobe ColdFusion 2018 < 2018.0.16,330130
Unaffected version
External Version:
- Adobe ColdFusion 2021 Update 6
- Adobe ColdFusion 2018 Update 16
Internal Version:
- Adobe ColdFusion 2021 >= 2021.0.06.330132
- Adobe ColdFusion 2018 >= 2018.0.16.330130
Detection
Relevant users can determine whether the current application is at risk through version detection.
Method 1: After logging in to the system, access/CFIDE/administrator/index.cfm to view the version in the system information.
Method 2: Execute the cfinfo – version (info) command under bin of the Adobe ColdFusion installation directory to view the version. If the current version is within the affected range, there may be a security risk.
Mitigation
Official upgrade
Currently, the vulnerability has been officially fixed in the latest version. Affected users are requested to upgrade the version as soon as possible for protection. The reference link is as follows:
Adobe ColdFusion 2021:
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-6.html
Adobe ColdFusion 2018:
https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-16.html
Manual upgrade
For Adobe ColdFusion 2018:
Step 1: Visit the following link to download the patch
https://cfdownload.adobe.com/pub/adobe/coldfusion/2018/updates/hotfix-016-330130.jar
Step 2: Execute the following corresponding commands based on the downloaded patch file (you must have full access to start or stop the ColdFusion service and the ColdFusion root directory.)
Execute under Windows:
<cf_ root>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-*.jar |
Execute under Linux:
<cf_ root>/jre/bin/java -jar <jar-file-dir>/hotfix-*.jar |
Ensure that the JRE bundled with ColdFusion is used to execute the downloaded JAR. For standalone ColdFusion, it must be located at<cf_ root>/jre/bin。
For more information, please refer to the official tutorial:
For Adobe ColdFusion 2021:
Step 1: Visit the following link to download the patch:
https://cfdownload.adobe.com/pub/adobe/coldfusion/2021/updates/hotfix-006-330132.jar
Step 2: Visit the following link to download the repository and unzip it to a location that all ColdFusion server instances can access:
Step 3: Update the cfusion/lib/neo of cfusion and all its child instances_ “Packageurl” in updates.xml to point to the<InstallerReposityUnzippedPath>/bundles/bundles dependency. json in the download folder
Note: If the core server patch is successfully installed, but there are issues with the package, you can install or update the package from the package manager client (cfusion bin cfpm. bat | cfpm. sh)
Step 4: Refer to Step 2 in Adobe ColdFusion 2018 Upgrade
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.