Vulnerability

Adobe Coldfusion vulnerabilities

This live blog contains information regarding vulnerabilities in Adobe Coldfusion. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on July 20, 2023.

Clip path group@2x

T-Update

Information about vulnerabilities

This live blog contains information regarding vulnerabilities in Adobe Coldfusion. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on July 20, 2023.

Update 20 July 2023

17:30 | On the 11th, 14th, and 19th of July 2023, Adobe has released security bulletins regarding a total of seven vulnerabilities in the product Adobe Coldfusion. Three of the seven vulnerabilities are critical. The vulnerabilities are applicable to the following versions: ColdFusion 2018, ColdFusion 2021, and ColdFusion 2023.

The three security bulletins describe vulnerabilities that could lead to arbitrary code execution. Two out of the three security bulletins describe vulnerabilities that could lead to a security feature bypass.

WARNING: The earlier advice from Adobe regarding the workaround by enabling lockdown-mode can be bypassed by chaining multiple vulnerabilities. These are the so-called “security feature bypass” vulnerabilities.

There are software updates available to remediate the vulnerabilities. Our advice is to apply them as soon as possible.

Customized cyber security

Background

On the 11th, 14th, and 19th of July 2023, Adobe has released security bulletins regarding a total of seven vulnerabilities in the product Adobe Coldfusion. Three of the seven vulnerabilities are critical. The vulnerabilities are applicable to the following versions: ColdFusion 2018, ColdFusion 2021, and ColdFusion 2023. The three security bulletins describe vulnerabilities that could lead to arbitrary code execution. Two out of the three security bulletins describe vulnerabilities that could lead to a security feature bypass.

Risk

The vulnerabilities CVE-2023-29298, CVE-2023-38203, and CVE-2023-38205 have a CVSSv3-score of 9.8. The CVSS-scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. All three vulnerabilities are unauthenticated remote code execution vulnerabilities, allowing an unauthenticated remote attacker to execute code.

The vulnerabilities are exploited in the wild and there is also a proof-of-concept exploit publicly available.

Advice

The vulnerabilities CVE-2023-29300, CVE-2023-38203, and CVE-2023-38204 are related to extracting untrustworthy data without performing sufficient verification of the data. Below an overview of all vulnerabilities:
Security bulletin Vulnerability Category Vulnerability impact Severity CVSS base score CVE nummers
APSB23-40 Improper Access Control Security feature bypass Critical 7.5 CVE-2023-29298
APSB23-40 Deserialization of Untrusted Data Arbitrary code execution Critical 9.8 CVE-2023-29300
APSB23-40 Improper Restriction of Excessive Authentication Attempts Security feature bypass Important 5.9 CVE-2023-29301
APSB23-41 Deserialization of Untrusted Data Arbitrary code execution Critical 9.8 CVE-2023-38203
APSB23-47 Deserialization of Untrusted Data Arbitrary code execution Critical 9.8 CVE-2023-38204
APSB23-47 Improper Access Control Security feature bypass Critical 7.5 CVE-2023-38205
APSB23-47 Improper Access Control Security feature bypass Moderate 5.3 CVE-2023-38206

The following Adobe Coldfusion products and versions are vulnerable:

  • ColdFusion 2018 update 18 and earlier versions
  • ColdFusion 2021 update 8 and earlier versions
  • ColdFusion 2023 update 2 and earlier versions

Adobe has made software patches available for the vulnerabilities. We advise to patch immediately. The vulnerabilities are resolved in the following software versions:

  • Coldfusion 2018 update 19
  • Coldfusion 2021 update 9
  • Coldfusion 2023 update 3

WARNING: The earlier advice from Adobe regarding the workaround by enabling lockdown-mode can be bypassed by chaining multiple vulnerabilities. These are the so-called “security feature bypass” vulnerabilities.

Indicators are known and research is being conducted into the available logging regarding these indicators for existing customers by our Security Operations Center.

IP-addresses:

  • 62.233.50[.]13
  • 5.182.36[.]4
  • 195.58.48[.]155

Domains:

  • oastify[.]com
  • ckeditr[.]cfm

Sources

More information:

Ellipse 6

Sign up to receive T-Updates

Receive the latest vulnerabilities in your email every Wednesday

More than 1,000 organisations have already joined us.

Tesorion gebruikt jouw gegevens voor het versturen van de gevraagde informatie. Daarnaast worden je gegevens mogelijk gebruikt voor commerciële opvolging. Je kunt je op elk gewenst moment hiervoor afmelden via de link in de e-mail. Lees voor meer informatie ons privacybeleid.

Ellipse 6