[CDP-development] TLP:GREEN (Vulnerability Alert Notification) - CVE-2023-38203 & CVE-2023-29300: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Mon Jan 8 16:10:20 PST 2024 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2023-38203 & CVE-2023-29300: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On January 8, 2024, CISA added CVE-2023-38203 & CVE-2023-29300 to the Known Exploited Vulnerabilities Catalog.

Affected Products:
Product
Update number
Platform
CVE ID
ColdFusion 2018
Update 16 and earlier versions
All
CVE-2023-29300
ColdFusion 2021
Update 6 and earlier versions
All
CVE-2023-29300
ColdFusion 2023
GA Release (2023.0.0.330468)
All
CVE-2023-29300
ColdFusion 2018
Update 17 and earlier versions
All
CVE-2023-38203
ColdFusion 2021
Update 7 and earlier versions
All
CVE-2023-38203
ColdFusion 2023
Update 1 and earlier versions
All
CVE-2023-38203

Fixed versions:
Product
Updated version
Platform
CVE ID
ColdFusion 2018
Update 17
All
CVE-2023-29300
ColdFusion 2021
Update 7
All
CVE-2023-29300
ColdFusion 2023
Update 1
All
CVE-2023-29300
ColdFusion 2018
Update 18
All
CVE-2023-38203
ColdFusion 2021
Update 8
All
CVE-2023-38203
ColdFusion 2023
Update 2
All
CVE-2023-38203

Adobe has provided the following security bulletins for CVE-2023-38203 & CVE-2023-29300

  *   https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html
  *   https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html

Intelligence: As of January 8, 2024, the vulnerabilities have been confirmed as being exploited in the wild.

Workarounds: Adobe has provided the following information, "If you become aware of any package with a deserialization vulnerability in the future, use the serialfilter.txt file in <cfhome>/lib to denylist the package (eg: !org.jroup.**;)".

How it works: Adobe ColdFusion server is vulnerable to CVE-2023-29300, a JNDI injection vulnerability that can be leveraged to a deserialization of untrusted data that could result in Remote Code Execution, affecting the /CFIDE/adminapi/accessmanager.cfc endpoint. The root cause of this vulnerability is improper sanitization of user-provided input inside the wddxPacket object sent through a POST request. This vulnerability allows an unauthenticated remote attacker to execute any command on the server. In depth information for CVE-2023-38203 is not available at this time.

Please be aware that the exploitation of CVE-2023-38203 & CVE-2023-29300 does not require user interaction.

Post-Exploit: Upon successful exploitation of the vulnerabilities, an unauthenticated attacker could gain control of the ColdFusion server.

As of January 8, 2024, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
178416<https://www.tenable.com/plugins/nessus/178416>
Adobe ColdFusion < 2018.x < 2018u18 / 2021.x < 2021u8 / 2023.x < 2023u2 Code Execution (APSB23-41)
Critical
114042<https://www.tenable.com/plugins/was/114042>
Adobe ColdFusion Remote Code Execution
Critical
178229<https://www.tenable.com/plugins/nessus/178229>
Adobe ColdFusion < 2018.x < 2018u17 / 2021.x < 2021u7 / 2023.x < 2023u1 Multiple Vulnerabilities (APSB23-40)
Critical
179133<https://www.tenable.com/plugins/nessus/179133>
Adobe ColdFusion Code Execution (APSB23-41) (Direct Check)
Critical

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA4246.0E008530]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240109/fb49fcfe/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240109/fb49fcfe/attachment-0001.png>

More information about the CDP-development mailing list