Bulletin ID
Security updates available for Adobe ColdFusion | APSB22-44
|
Date Published |
Priority |
APSB22-44 |
October 11, 2022 |
3 |
Summary
Affected Versions
Product |
Update number |
Platform |
ColdFusion 2018 |
Update 14 and earlier versions |
All |
ColdFusion 2021 |
Update 4 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:
Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server. See the relevant Tech Notes for more details.
Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.
Vulnerability Details
Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVE Numbers |
|
Stack-based Buffer Overflow (CWE-121) |
Arbitrary code execution |
Critical |
9.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-35710 |
Heap-based Buffer Overflow (CWE-122) |
Arbitrary code execution |
Critical |
9.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-35711 |
Stack-based Buffer Overflow (CWE-121) |
Arbitrary code execution |
Critical |
9.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-35690 |
Heap-based Buffer Overflow (CWE-122) |
Arbitrary code execution |
Critical |
9.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-35712 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
Arbitrary code execution |
Critical |
8.1 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-38418 |
Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) |
Arbitrary file system read |
Important |
5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2022-38419 |
Use of Hard-coded Credentials (CWE-798) |
Privilege escalation |
Important |
6.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
CVE-2022-38420 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
Arbitrary code execution |
Important |
6.6 |
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-38421 |
Information Exposure (CWE-200) |
Security feature bypass |
Important |
5.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2022-38422 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
Security feature bypass |
Moderate |
4.4 |
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N |
CVE-2022-38423 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
Arbitrary file system write |
Critical |
7.2 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
CVE-2022-38424 |
|
|
Important |
7.5
|
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2022-42340 |
Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) |
|
Important
|
7.5
|
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2022-42341 |
Acknowledgements
Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:
- rgod working with Trend Micro Zero Day Initiative - CVE-2022-35710, CVE-2022-35711, CVE-2022-35690, CVE-2022-35712, CVE-2022-38418, CVE-2022-38419, CVE-2022-38420, CVE-2022-38421, CVE-2022-38422, CVE-2022-38423, CVE-2022-38424
- reillyb - CVE-2022-42340, CVE-2022-42341
ColdFusion JDK Requirement
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**", in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
COLDFUSION 2018 HF1 and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**", in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com