Recently, NSFOCUS CERT monitored that Adobe has officially released security notices and fixed multiple Adobe ColdFusion vulnerabilities. Please take protective measures as soon as possible. Key vulnerabilities are as follows:
Adobe ColdFusion deserialization vulnerability (CVE-2023-26359):
Due to a flaw in Adobe ColdFusion’s deserialization security check, unauthenticated remote attackers can conduct deserialization attacks by constructing malicious data packets, which can ultimately enable the execution of arbitrary code on the target system, with a CVSS score of 9.8.
Adobe ColdFusion Improper Access Control Vulnerability (CVE-2023-26360):
Due to a flaw in Adobe ColdFusion that improperly controls resource access, unauthenticated attackers can exploit this vulnerability to achieve arbitrary code execution on the target system without user interaction. Currently, it has been detected that this vulnerability is being exploited in the wild, with a CVSS score of 8.6.
Reference link: https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html
Scope of Impact
- Adobe ColdFusion 2021 <= 2021 Update 5
- Adobe ColdFusion 2018 <= 2018 Update 15
- Adobe ColdFusion 2021 < 2021.0.06.330132
- Adobe ColdFusion 2018 < 2018.0.16,330130
- Adobe ColdFusion 2021 Update 6
- Adobe ColdFusion 2018 Update 16
- Adobe ColdFusion 2021 >= 2021.0.06.330132
- Adobe ColdFusion 2018 >= 2018.0.16.330130
Relevant users can determine whether the current application is at risk through version detection.
Method 1: After logging in to the system, access/CFIDE/administrator/index.cfm to view the version in the system information.
Method 2: Execute the cfinfo – version (info) command under bin of the Adobe ColdFusion installation directory to view the version. If the current version is within the affected range, there may be a security risk.
Currently, the vulnerability has been officially fixed in the latest version. Affected users are requested to upgrade the version as soon as possible for protection. The reference link is as follows:
Adobe ColdFusion 2021：
Adobe ColdFusion 2018：
For Adobe ColdFusion 2018:
Step 1: Visit the following link to download the patch
Step 2: Execute the following corresponding commands based on the downloaded patch file (you must have full access to start or stop the ColdFusion service and the ColdFusion root directory.)
Execute under Windows:
|<cf_ root>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-*.jar|
Execute under Linux:
|<cf_ root>/jre/bin/java -jar <jar-file-dir>/hotfix-*.jar|
Ensure that the JRE bundled with ColdFusion is used to execute the downloaded JAR. For standalone ColdFusion, it must be located at<cf_ root>/jre/bin。
For more information, please refer to the official tutorial:
For Adobe ColdFusion 2021:
Step 1: Visit the following link to download the patch:
Step 2: Visit the following link to download the repository and unzip it to a location that all ColdFusion server instances can access:
Step 3: Update the cfusion/lib/neo of cfusion and all its child instances_ “Packageurl” in updates.xml to point to the<InstallerReposityUnzippedPath>/bundles/bundles dependency. json in the download folder
Note: If the core server patch is successfully installed, but there are issues with the package, you can install or update the package from the package manager client (cfusion bin cfpm. bat | cfpm. sh)
Step 4: Refer to Step 2 in Adobe ColdFusion 2018 Upgrade
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.