Multiple vulnerabilities in Adobe ColdFusion have been exploited by threat actors, according to research by Rapid7. The vulnerabilities were disclosed by Adobe on July 11, and patches were released at that time. The vulnerabilities included an improper access control flaw, a deserialization flaw, and an authentication bypass flaw. However, Rapid7 observed on July 13 that one of the vulnerabilities, CVE-2023-29298, was being used in conjunction with another vulnerability. This additional vulnerability, believed to be CVE-2023-38203, is a critical deserialization flaw that can lead to arbitrary code execution.
Interestingly, CVE-2023-38203 was inadvertently published by vulnerability management vendor Project Discovery in a blog post on July 12. Although the blog post provided a technical analysis and an exploit for CVE-2023-29300, it did not mention CVE-2023-38203. Project Discovery later took down the blog post. Rapid7 head of vulnerability research Caitlin Condon wrote in a blog post that Project Discovery’s research turned out to be a zero-day exploit chain for CVE-2023-38203.
Condon suggested that Project Discovery may have thought they were publishing an exploit for CVE-2023-29300 and did not realize they had discovered a new zero-day vulnerability. Adobe addressed this new exploit chain in an out-of-band update on July 14.
Condon explained that the patch for CVE-2023-29300 implemented a denylist of classes that cannot be deserialized by the Web Distributed Data eXchange (WDDX) data used in certain requests to ColdFusion. However, Project Discovery researchers found a class that was not on the denylist and could be manipulated to achieve remote code execution.
After Adobe issued an out-of-band patch, Project Discovery’s published exploit no longer worked. The out-of-band patch added the class path “!com.sun.rowset.**” to the denylist. It appears that Project Discovery may have taken down their blog post while Adobe was fixing the flaw.
Rapid7 also identified another issue in Adobe’s July 11 patch for CVE-2023-29298. Condon stated that Rapid7 found that a slightly modified version of the exploit still worked against the latest version of ColdFusion, even after applying the patch. She noted that there is no current mitigation for this bypass, but patching CVE-2023-38203 through the July 14 update should address the issue.
TechTarget Editorial reached out to Project Discovery for comment but has not received a response at the time of writing.
An Adobe spokesperson acknowledged the reports of the bypass and stated that the company is working on a comprehensive resolution. They assured that an update would be released as soon as it is available.
In conclusion, threat actors have been taking advantage of multiple vulnerabilities in Adobe ColdFusion, including a zero-day vulnerability accidentally published by Project Discovery. Adobe has released patches to address the vulnerabilities, but Rapid7 discovered that one of the patches was incomplete. Despite this, patching CVE-2023-38203 should mitigate any issues caused by the bypass. Adobe is actively working on a comprehensive solution to address these vulnerabilities.