This live blog contains information regarding vulnerabilities in Adobe Coldfusion. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on July 20, 2023.
Update 20 July 2023
17:30 | On the 11th, 14th, and 19th of July 2023, Adobe has released security bulletins regarding a total of seven vulnerabilities in the product Adobe Coldfusion. Three of the seven vulnerabilities are critical. The vulnerabilities are applicable to the following versions: ColdFusion 2018, ColdFusion 2021, and ColdFusion 2023.
The three security bulletins describe vulnerabilities that could lead to arbitrary code execution. Two out of the three security bulletins describe vulnerabilities that could lead to a security feature bypass.
WARNING: The earlier advice from Adobe regarding the workaround by enabling lockdown-mode can be bypassed by chaining multiple vulnerabilities. These are the so-called “security feature bypass” vulnerabilities.
There are software updates available to remediate the vulnerabilities. Our advice is to apply them as soon as possible.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Vulnerability information
On the 11th, 14th, and 19th of July 2023, Adobe has released security bulletins regarding a total of seven vulnerabilities in the product Adobe Coldfusion. Three of the seven vulnerabilities are critical. The vulnerabilities are applicable to the following versions: ColdFusion 2018, ColdFusion 2021, and ColdFusion 2023.
The three security bulletins describe vulnerabilities that could lead to arbitrary code execution. Two out of the three security bulletins describe vulnerabilities that could lead to a security feature bypass.
Potential Risk
The vulnerabilities CVE-2023-29298, CVE-2023-38203, and CVE-2023-38205 have a CVSSv3-score of 9.8. The CVSS-scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. All three vulnerabilities are unauthenticated remote code execution vulnerabilities, allowing an unauthenticated remote attacker to execute code.
The vulnerabilities are exploited in the wild and there is also a proof-of-concept exploit publicly available.
Detail info
The vulnerabilities CVE-2023-29300, CVE-2023-38203, and CVE-2023-38204 are related to extracting untrustworthy data without performing sufficient verification of the data. Below an overview of all vulnerabilities:
Bulletin |
Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVE Numbers |
APSB23-40 |
Improper Access Control | Security feature bypass | Critical | 7.5 | CVE-2023-29298 |
APSB23-40 |
Deserialization of Untrusted Data | Arbitrary code execution | Critical | 9.8 | CVE-2023-29300 |
APSB23-40 |
Improper Restriction of Excessive Authentication Attempts | Security feature bypass | Important | 5.9 | CVE-2023-29301 |
APSB23-41 |
Deserialization of Untrusted Data | Arbitrary code execution | Critical | 9.8 | CVE-2023-38203 |
APSB23-47 |
Deserialization of Untrusted Data | Arbitrary code execution | Critical | 9.8 | CVE-2023-38204 |
APSB23-47 |
Improper Access Control | Security feature bypass | Critical | 7.5 | CVE-2023-38205 |
APSB23-47 |
Improper Access Control | Security feature bypass | Moderate | 5.3 | CVE-2023-38206 |
The following Adobe Coldfusion products and versions are vulnerable:
- ColdFusion 2018 update 18 and earlier versions
- ColdFusion 2021 update 8 and earlier versions
- ColdFusion 2023 update 2 and earlier versions
Adobe has made software patches available for the vulnerabilities. We advise to patch immediately. The vulnerabilities are resolved in the following software versions:
- Coldfusion 2018 update 19
- Coldfusion 2021 update 9
- Coldfusion 2023 update 3
WARNING: The earlier advice from Adobe regarding the workaround by enabling lockdown-mode can be bypassed by chaining multiple vulnerabilities. These are the so-called “security feature bypass” vulnerabilities.
Indicators are known and research is being conducted into the available logging regarding these indicators for existing customers by our Security Operations Center.
IP-addresses:
- 62.233.50[.]13
- 5.182.36[.]4
- 195.58.48[.]155
Domains:
- oastify[.]com
- ckeditr[.]cfm
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.