Bulletin ID
Last updated on
2 August 2023
Security updates available for Adobe ColdFusion | APSB23-47
|
|
Date Published |
Priority |
|
APSB23-47 |
July 19, 2023 |
1 |
Summary
Adobe has released security updates for ColdFusion versions 2023, 2021 and 2018. These updates resolve critical and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass.
Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.
Affected Versions
|
Product |
Update number |
Platform |
|
ColdFusion 2023 |
Update 2 and earlier versions |
All |
|
ColdFusion 2021 |
Update 8 and earlier versions |
All |
|
ColdFusion 2018 |
Update 18 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:
Note:
If you become aware of any package with a deserialization vulnerability in the future, use the serialfilter.txt file in <cfhome>/lib to denylist the package (eg: !org.jgroups.**;)
Vulnerability Details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVE Numbers |
|
|
Deserialization of Untrusted Data (CWE-502) |
Arbitrary code execution |
Critical |
9.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-38204 |
|
Improper Access Control (CWE-284) |
Security feature bypass |
Critical |
7.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-38205 |
|
Improper Access Control (CWE-284) |
Security feature bypass |
Moderate |
5.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2023-38206 |
Acknowledgments:
Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers:
- Rahul Maini, Harsh Jaiswal @ ProjectDiscovery Research - CVE-2023-38204
- MoonBack (ipplus360) - CVE-2023-38204
- Stephen Fewer - CVE-2023-38205
- Brian Reilly - CVE-2023-38206
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
Acknowledgments
Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:
- Yonghui Han of Fortinet’s FortiGuard Labs - CVE-2023-29308, CVE-2023-29309, CVE-2023-29310, CVE-2023-29311, CVE-2023-29312, CVE-2023-29313, CVE-2023-29314, CVE-2023-29315, CVE-2023-29316, CVE-2023-29317, CVE-2023-29318, CVE-2023-29319
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
Note:
Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release. Check the ColdFusion support matrix below for your supported JDK version.
ColdFusion Support Matrix:
CF2023: https://helpx.adobe.com/pdf/coldfusion2023-suport-matrix.pdf
CF2021: https://helpx.adobe.com/pdf/coldfusion2021-support-matrix.pdf
CF2018: https://helpx.adobe.com/pdf/coldfusion2018-support-matrix.pdf
Applying the ColdFusion update without a corresponding JDK update will NOT secure the server. See the relevant Tech Notes for more details.
Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.
ColdFusion JDK Requirement
COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers
On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**" in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**"
in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
COLDFUSION 2018 HF1 and above
For Application Servers
On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**"
in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com