The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a vulnerability, known as CVE-2023-26359, to the Known Exploited Vulnerabilities Catalog. This vulnerability has been given a Common Vulnerability Scoring System (CVSS) score of 9.8, indicating its severity, due to active exploitation. The vulnerability in question is a deserialization flaw that affects Adobe ColdFusion 2018 (Update 15 and earlier) and Adobe ColdFusion 2021 (Update 5 and earlier), potentially allowing for arbitrary code execution.
Serialization is a process that converts an object into a data format that can be reconstructed later, such as with JSON and XML. Deserialization, on the other hand, is the reverse process where data structured in a particular format is rebuilt into an object. However, when deserialization occurs without validating the source, it can lead to denial of service or code execution. In this case, the deserialization flaw in Adobe ColdFusion poses a significant security risk.
These vulnerabilities were patched by Adobe in March but are now being actively exploited. The exact methods being used to exploit the vulnerability are currently unknown. However, Adobe has stated that these attacks are occurring in a very limited capacity. Despite this, the Federal Civilian Executive Branch (FCEB) agencies have been given a timely deadline of September 11th to apply the necessary patches and protect against potential threats.
To mitigate the risk associated with this vulnerability, Adobe recommends that its customers apply the proper security configuration settings as outlined on the ColdFusion Security page. Additionally, they should review the respective Lockdown guides. Furthermore, it is advised to update the ColdFusion JDK/JRE to the latest version of the Long-Term Support (LTS) releases for JDK 11. It is worth noting that applying the ColdFusion update without a corresponding JDK update may compromise the security of the server.
It is important to highlight that this vulnerability was discovered and reported by Patrick Vares, for which Adobe credits him. The prompt patching of such vulnerabilities plays a crucial role in ensuring the security and integrity of systems and preventing cyberattacks.
In conclusion, the deserialization flaw affecting Adobe ColdFusion represents a significant security concern due to its potential to facilitate arbitrary code execution. While the exact details of the active exploitation are unknown, it is clear that this vulnerability needs to be addressed promptly. The implementation of the necessary patches by FCEB agencies by the September 11th deadline is crucial for safeguarding against potential threats. Adobe’s recommendations regarding security configuration settings, review of Lockdown guides, and JDK/JRE updates should also be followed to ensure a secure server environment.