{"id":22767,"date":"2023-08-23T16:10:06","date_gmt":"2023-08-24T00:10:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/08\/23\/news-16497\/"},"modified":"2023-08-23T16:10:06","modified_gmt":"2023-08-24T00:10:06","slug":"news-16497","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/08\/23\/news-16497\/","title":{"rendered":"Adobe ColdFusion vulnerability exploited in the wild"},"content":{"rendered":"<p>The Cybersecurity and Infrastructure Security Agency (CISA) has <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2023\/08\/21\/cisa-adds-one-known-exploited-vulnerability-catalog\" target=\"_blank\" rel=\"nofollow\">added<\/a> a critical Adobe ColdFusion vulnerability to its&nbsp;<a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" title=\"Known Exploited Vulnerabilities Catalog\" target=\"_blank\" rel=\"nofollow\">Known Exploited Vulnerabilities Catalog<\/a>, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by September 11, 2023 to protect their networks against active threats.<\/p>\n<p>Adobe ColdFusion is an application server and a platform for building and deploying web and mobile applications.<\/p>\n<p>The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE you need to patch is <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-26359\" target=\"_blank\" rel=\"nofollow\">CVE-2023-26359<\/a>, which has a <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2020\/05\/how-cvss-works-characterizing-and-scoring-vulnerabilities\">CVSS score<\/a> of 9.8 out of 10.<\/p>\n<p>According to Adobe, Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.<\/p>\n<p>Deserialization of untrusted data happens when an application uses data input to create an object. It is often convenient to serialize objects for communication or to save them for later use. However, untrusted data can&rsquo;t be relied on to be well-formed. When there are not sufficient protections in place this can be abused to trigger self-execution during the deserialization process. Exploitation can lead to arbitrary code execution.<\/p>\n<p>To patch the vulnerability Adobe has <a href=\"https:\/\/helpx.adobe.com\/security\/products\/coldfusion\/apsb23-25.html\" target=\"_blank\" rel=\"nofollow\">released security updates<\/a> for ColdFusion versions\u202f2021 and\u202f2018. To successfully remediate against this vulnerability the latest updates for ColdFusion should be applied, specifically:<\/p>\n<ul>\n<li>ColdFusion 2021 Update 6 or later<\/li>\n<li>ColdFusion 2018 Update 16 or later<\/li>\n<\/ul>\n<p>Another critical vulnerability tackled in this update is <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-26360\" target=\"_blank\" rel=\"nofollow\">CVE-2023-26360<\/a>&mdash;an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. It affects Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).<\/p>\n<p>In April Adobe noted:<\/p>\n<blockquote><p>&ldquo;Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.&rdquo;<\/p><\/blockquote>\n<p>Therefore this vulnerability has <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2023\/03\/15\/cisa-adds-one-known-exploited-vulnerability-catalog\" target=\"_blank\" rel=\"nofollow\">previously been added<\/a> to the Known Exploited Vulnerabilities Catalog. The remediation deadline for federal civilian executive branch agencies was April 5, 2023. With a second critical, and known to be exploited vulnerability, this really is a wake up call to install that update if you haven&rsquo;t already.<\/p>\n<hr \/>\n<p><strong>We don&rsquo;t just report on vulnerabilities&mdash;we identify them, and prioritize action.<\/strong><\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using <a href=\"https:\/\/www.malwarebytes.com\/business\/vulnerability-patch-management\">Malwarebytes Vulnerability and Patch Management<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/08\/adobe-coldfusion-vulnerability-exploited-in-the-wild\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/exploits-and-vulnerabilities\" rel=\"category tag\">Exploits and vulnerabilities<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Tags: Adobe<\/p>\n<p>Tags:  ColdFusion<\/p>\n<p>Tags:  CVE-2023-26359<\/p>\n<p>Tags:  CVE-2023-26360<\/p>\n<p>Tags:  critical<\/p>\n<p>Tags:  known exploited<\/p>\n<p>Tags:  deserialization<\/p>\n<p>A second Adobe ColdFusion vulnerability that was patched in April has been added to CISA&#8217;s known exploited vulnerabilities catalog.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/08\/adobe-coldfusion-vulnerability-exploited-in-the-wild\" title=\"Adobe ColdFusion vulnerability exploited in the wild\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/08\/adobe-coldfusion-vulnerability-exploited-in-the-wild\">Adobe ColdFusion vulnerability exploited in the wild<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11414,20130,26274,30007,28877,29538,22783,30008,32],"class_list":["post-22767","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-adobe","tag-coldfusion","tag-critical","tag-cve-2023-26359","tag-cve-2023-26360","tag-deserialization","tag-exploits-and-vulnerabilities","tag-known-exploited","tag-news"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22767","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22767"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22767\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22767"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22767"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22767"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}