Adobe Security Bulletin

Security updates available for Adobe ColdFusion | APSB23-40

Bulletin ID

Date Published

Priority

APSB23-40

July 11, 2023

1

Summary

Adobe has released security updates for ColdFusion versions 2023, 2021 and 2018. These updates resolve critical and important  vulnerabilities that could lead to arbitrary code execution and security feature bypass.

Adobe is aware that CVE-2023-29298 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.

Affected Versions

Product

Update number

Platform

ColdFusion 2018

Update 16 and earlier versions    

All

ColdFusion 2021

Update 6 and earlier versions

All

ColdFusion 2023

GA Release (2023.0.0.330468)

All

Solution

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

Product

Updated Version

Platform

Priority rating

Availability

ColdFusion 2018

Update 17

All

1

ColdFusion 2021

Update 7

All

1

ColdFusion 2023

Update 1 

All

                 1

Note:

Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release. Check the ColdFusion support matrix for your supported JDK version
Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.  See the relevant Tech Notes for more details.

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

Vulnerability Details

Vulnerability Category

Vulnerability Impact

Severity

CVSS base score 

CVE Numbers

Improper Access Control (CWE-284)

Security feature bypass

Critical

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2023-29298

Deserialization of Untrusted Data (CWE-502)

Arbitrary code execution

Critical

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-29300

Improper Restriction of Excessive Authentication Attempts (CWE-307)

Security feature bypass

Important

5.9

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2023-29301

Acknowledgements

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

  • Stephen Fewer - CVE-2023-29298
  • Nicolas Zilio (CrowdStrike) - CVE-2023-29300
  • Brian Reilly - CVE-2023-29301

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

ColdFusion JDK Requirement

COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**; !org.jgroups.**", in the respective startup file depending on the type of Application Server being used.

For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.

 

COLDFUSION 2021 (version 2021.0.0.323925) and above

For Application Servers   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**; !org.jgroups.**", in the respective startup file depending on the type of Application Server being used.

For example:   

Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

 

COLDFUSION 2018 HF1 and above  

For Application Servers   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**; !org.jgroups.**", in the respective startup file depending on the type of Application Server being used.

For example:   

Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

 

Revisions

July 19, 2023

  • Summary paragraph updated to state Adobe is aware that CVE-2023-29298 has been exploited in the wild in  limited attacks targeting Adobe ColdFusion.

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com 

Get help faster and easier

New user?