Adobe Coldfusion vulnerabilities

On the 11th, 14th, and 19th of July 2023, Adobe has released security bulletins regarding a total of seven vulnerabilities in the product Adobe Coldfusion. Three of the seven vulnerabilities are critical. The vulnerabilities are applicable to the following versions: ColdFusion 2018, ColdFusion 2021, and ColdFusion 2023.

The three security bulletins describe vulnerabilities that could lead to arbitrary code execution. Two out of the three security bulletins describe vulnerabilities that could lead to a security feature bypass.

The vulnerabilities CVE-2023-29298, CVE-2023-38203, and CVE-2023-38205 have a CVSSv3-score of 9.8. The CVSS-scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. All three vulnerabilities are unauthenticated remote code execution vulnerabilities, allowing an unauthenticated remote attacker to execute code.

The vulnerabilities are exploited in the wild and there is also a proof-of-concept exploit publicly available.

The vulnerabilities CVE-2023-29300, CVE-2023-38203, and CVE-2023-38204 are related to extracting untrustworthy data without performing sufficient verification of the data. Below an overview of all vulnerabilities:

Bulletin	Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVE Numbers
APSB23-40	Improper Access Control	Security feature bypass	Critical	7.5	CVE-2023-29298
APSB23-40	Deserialization of Untrusted Data	Arbitrary code execution	Critical	9.8	CVE-2023-29300
APSB23-40	Improper Restriction of Excessive Authentication Attempts	Security feature bypass	Important	5.9	CVE-2023-29301
APSB23-41	Deserialization of Untrusted Data	Arbitrary code execution	Critical	9.8	CVE-2023-38203
APSB23-47	Deserialization of Untrusted Data	Arbitrary code execution	Critical	9.8	CVE-2023-38204
APSB23-47	Improper Access Control	Security feature bypass	Critical	7.5	CVE-2023-38205
APSB23-47	Improper Access Control	Security feature bypass	Moderate	5.3	CVE-2023-38206

The following Adobe Coldfusion products and versions are vulnerable:

• ColdFusion 2018 update 18 and earlier versions
• ColdFusion 2021 update 8 and earlier versions
• ColdFusion 2023 update 2 and earlier versions

Adobe has made software patches available for the vulnerabilities. We advise to patch immediately. The vulnerabilities are resolved in the following software versions:

• Coldfusion 2018 update 19
• Coldfusion 2021 update 9
• Coldfusion 2023 update 3

WARNING: The earlier advice from Adobe regarding the workaround by enabling lockdown-mode can be bypassed by chaining multiple vulnerabilities. These are the so-called “security feature bypass” vulnerabilities.

Indicators are known and research is being conducted into the available logging regarding these indicators for existing customers by our Security Operations Center.

IP-addresses:

• 62.233.50[.]13
• 5.182.36[.]4
• 195.58.48[.]155

Domains:

• oastify[.]com
• ckeditr[.]cfm

More information is available at:

• Adobe security bulletin APSB23-40
• Adobe security bulletin APSB23-41
• Adobe security bulletin APSB23-47
• Rapid7 blog
• NCSC advisory APSB23-40
• NCSC advisory APSB23-41
• NCSC advisory APSB23-47