CISA Alert: Serious Vulnerabilities in Adobe ColdFusion (CVE-2023-44350, CVE-2023-44351, CVE-2023-44353 and More)
CISA has issued an alert regarding multiple vulnerabilities impacting Adobe ColdFusion. The alert underscores that the exploitation of the vulnerabilities could grant threat actors control over affected systems, prompting organizations to take measures to protect their systems.
Adobe ColdFusion serves as a rapid scripting environment for developing dynamic internet applications on both web and mobile platforms, utilizing ColdFusion Markup Language (CFML).
The security update addresses a range of vulnerabilities, including critical, high, and medium severity issues. These vulnerabilities have the potential to enable threat actors to access specific endpoints or execute arbitrary code, without requiring user interaction.
Which Versions of Adobe ColdFusion Are Vulnerable?
Adobe has issued the most recent security patches for ColdFusion were an advisory, on November 14, 2023. The advisory identifies vulnerabilities in the following versions of Adobe ColdFusion 2021 and 2023:
Update 5 and earlier versions
Update 11 and earlier versions
Details of the Vulnerabilities
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are susceptible to multiple vulnerabilities. Four of these vulnerabilities, ranging from high to critical severity, can be exploited without requiring any user interaction:
CVE-2023-44351 (CVSS Score: 9.8, Critical): This vulnerability involves the deserialization of untrusted data, creating a significant risk of arbitrary code execution.
CVE-2023-44350 (CVSS Score: 9.8, Critical): Similar to the first, this vulnerability is linked to the deserialization of untrusted data, posing a critical risk of arbitrary code execution. It is worth noting that the severity rating for CVE-2023-44350 is 9.1 in the Adobe advisory.
CVE-2023-44353 (CVSS Score: 9.8, Critical): Yet another deserialization vulnerability, posing a critical risk of arbitrary code execution. The severity rating for CVE-2023-44353 is 5.3 according to the Adobe advisory, but the National Vulnerability Database (NVD) rates it as critical.
CVE-2023-26347 (CVSS Score: 7.5, High): Involving an improper access control, this vulnerability carries a high severity risk. It could lead to a security feature bypass, allowing unauthenticated attackers to gain access to administration CFM and CFC endpoints.
The remaining two vulnerabilities require user interaction, posing a challenge in exploitation; thus, they are rated with medium severity.
CVE-2023-44355 (CVSS Score: 4.3, Medium): It is a vulnerability related to Improper Input Validation that could enable an unauthenticated attacker to impact a minor integrity feature. However, exploiting this vulnerability requires user interaction.
Apply the ColdFusion Updates by Adobe
Adobe has released patches to address the vulnerabilities in the following versions:
Adobe assigns a priority level of 3 (out of 3) to the update for the ColdFusion vulnerabilities in the advisory. Interestingly, this designation suggests that, although Adobe has issued updates, there is no evidence of exploitation for the mentioned vulnerability/vulnerabilities, and historically, the specific product has not been a target of attacks. As a result, Adobe advises administrators to exercise discretion when deciding to install the updates.
Proactive Vulnerability Monitoring and Management with SOCRadar
Utilizing the Attack Surface Management (ASM) module, you can proactively monitor emerging vulnerabilities across your digital assets. Receive timely threat alerts and efficiently manage patching efforts to mitigate potential impacts.
With SOCRadar’s Vulnerability Intelligence, you can gain insights into hacker trends, access specific vulnerability details, and updates, along with their SVRS score (SOCRadar Vulnerability Risk Score). This score offers a comprehensive understanding of a vulnerability’s popularity and the probability of exploitation.