In response to a newly discovered zero-day exploit and other critical vulnerabilities, Adobe has issued an emergency security update for ColdFusion, urging users to apply the patch immediately.
The out-of-band update, released today, aims to address three specific flaws, with the most severe being a critical Remote Code Execution (RCE) bug, designated as CVE-2023-38204, with a severity rating of 9.8, reported Bleeping Computer.
The two other vulnerabilities fixed in this update are a critical Improper Access Control flaw (CVE-2023-38205) rated 7.8, and a moderate Improper Access Control flaw (CVE-2023-38206) rated 5.3.
Fortunately, the most critical flaw, CVE-2023-38204, did not see any exploitation in the wild before the update was released. However, it wasn’t the same case for CVE-2023-38205, as Adobe reported that this vulnerability had been exploited in limited attacks targeting Adobe ColdFusion servers.
CVE-2023-38205 acted as a bypass for the patch addressing CVE-2023-29298, an authentication bypass vulnerability discovered by Rapid7 researchers. Following its initial discovery, Rapid7 observed attackers leveraging CVE-2023-29298 in combination with CVE-2023-29300/CVE-2023-38203 to infiltrate vulnerable ColdFusion servers and install webshells, allowing unauthorized remote access to these systems.
Rapid7 further revealed that the fix provided by Adobe for CVE-2023-29298 was incomplete, and a slightly modified exploit continued to work on the latest ColdFusion version. Upon identifying the bypass, Rapid7 promptly notified Adobe of the issue.
Rapid7 has confirmed that the new updates completely patched the vulnerabilities.
Adobe has since confirmed that the fix for CVE-2023-29298 is integrated into the APSB23-47 update as the patch for CVE-2023-38205.
Given the active exploitation of CVE-2023-38205 to compromise ColdFusion servers, website operators are strongly advised to apply the emergency update without delay. Failure to do so may leave systems vulnerable to potential attacks, potentially resulting in unauthorized access and control by malicious actors.
In the News: Google demos Genesis AI designed for journalists