Bulletin ID
Security updates available for Adobe ColdFusion | APSB24-14
|
Date Published |
Priority |
APSB24-14 |
March 12, 2024 |
1 |
Summary
Adobe has released security updates for ColdFusion versions 2023 and 2021. These updates resolve critical vulnerabilities that could lead to arbitrary file system read and privilege escalation.
Adobe is aware that CVE-2024-20767 has a known proof-of-concept that could cause an arbitrary file system read.
Affected Versions
Product |
Update number |
Platform |
ColdFusion 2023 |
Update 6 and earlier versions |
All |
ColdFusion 2021 |
Update 12 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:
See the updated serial filter documentation for more details on protection against insecure Wddx deserialization attacks https://helpx.adobe.com/coldfusion/kb/coldfusion-serialfilter-file.html
Vulnerability Details
Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVE Numbers |
Notes |
|
Improper Access Control (CWE-284) |
Arbitrary file system read |
Critical |
8.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
CVE-2024-20767 |
This vulnerability has been further addressed in ColdFusion 2023 Update 12 and ColdFusion 2021 Update 18. Please see APSB24-107 for more information. |
Improper Authentication (CWE-287) |
Privilege escalation |
Critical |
7.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVE-2024-45113 |
This was addressed in ColdFusion 2023 Update 7 and later, and ColdFusion 2021 Update 13 and later. |
Acknowledgements:
Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers:
- ma4ter - CVE-2024-20767
- Brian Reilly (reillyb) - CVE-2024-45113
NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe
Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release. Check the ColdFusion support matrix below for your supported JDK version.
ColdFusion Support Matrix:
CF2023: https://helpx.adobe.com/pdf/coldfusion2023-suport-matrix.pdf
CF2021: https://helpx.adobe.com/pdf/coldfusion2021-support-matrix.pdf
Applying the ColdFusion update without a corresponding JDK update will NOT secure the server. See the relevant Tech Notes for more details.
Adobe also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.
ColdFusion JDK Requirement
COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers
On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**" in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**"
in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
Revisions
December 23, 2024 - Updated: Summary, Solution from ColdFusion 2023 Update 7 to ColdFusion 2023 Update 12, ColdFusion 2021 Update 13 to ColdFusion 2021 Update 18, Priority from 3 to 1, and added Notes column to Vulnerability Details table.
September 10, 2024: Added CVE-2024-45113
For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com