Adobe Security Bulletin

Last updated on Nov 28, 2023

Security updates available for Adobe ColdFusion | APSB23-52

Bulletin ID	Date Published	Priority
APSB23-52	November 14, 2023	3

Summary

Adobe has released security updates for ColdFusion versions 2023 and 2021. These updates resolve critical, important and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass.

Affected Versions

Product	Update number	Platform
ColdFusion 2023	Update 5 and earlier versions	All
ColdFusion 2021	Update 11 and earlier versions	All

Solution

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

Product	Updated Version	Platform	Priority rating	Availability
ColdFusion 2023	Update 6	All	3	Tech Note
ColdFusion 2021	Update 12	All	3	Tech Note

Note:

For more details on protection against insecure Wddx deserialization attacks, refer https://helpx.adobe.com/coldfusion/kb/coldfusion-serialfilter-file.html

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Numbers
Deserialization of Untrusted Data (CWE-502)	Arbitrary code execution	Critical	9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N	CVE-2023-44350
Improper Access Control (CWE-284)	Security feature bypass	Critical	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	CVE-2023-26347
Deserialization of Untrusted Data (CWE-502)	Arbitrary code execution	Critical	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	CVE-2023-44351
Cross-site Scripting (Reflected XSS) (CWE-79)	Arbitrary code execution	Important	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	CVE-2023-44352
Deserialization of Untrusted Data (CWE-502)	Arbitrary code execution	Important	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	CVE-2023-44353
Improper Input Validation (CWE-20)	Arbitrary code execution	Moderate	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	CVE-2023-44355

Acknowledgements:

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers:   

Brian Reilly - CVE-2023-44350, CVE-2023-44355
Daniel Jensen - CVE-2023-44351
pwnii (pwnwithlove) - CVE-2023-44352
McCaulay Hudson - CVE-2023-44353
Matthew Galligan and Jon Cagan, CISA - CVE-2023-26347

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

Note:

Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release. Check the ColdFusion support matrix below for your supported JDK version.

ColdFusion Support Matrix:

CF2023: https://helpx.adobe.com/pdf/coldfusion2023-suport-matrix.pdf

CF2021: https://helpx.adobe.com/pdf/coldfusion2021-support-matrix.pdf

Applying the ColdFusion update without a corresponding JDK update will NOT secure the server. See the relevant Tech Notes for more details.

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.   

ColdFusion JDK Requirement

COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers

On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**" in the respective startup file depending on the type of Application Server being used.

For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.

COLDFUSION 2021 (version 2021.0.0.323925) and above

For Application Servers  

On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**"

in the respective startup file depending on the type of Application Server being used.

For example:  

Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file  

WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file  

WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file  

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.  

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com

Adobe

Get help faster and easier

New user?