Attackers exploit two Adobe ColdFusion vulnerabilities to bypass authentication and perform remote code execution. CVE-2023-29298 and CVE-2023-38203 can be chained to conduct attacks on Adobe ColdFusion environments.
CISA has added CVE-2023-29298 and CVE-2023-38205 to its Known Exploited Vulnerabilities Catalog, recommending users patch before August 10.
On January 8, 2024, CISA added the CVE-2023-29300 and CVE-2023-38203 to the Known Exploited Vulnerabilities Catalog. CISA has recommended users to patch the flaw before Jan 29, 2024.
Adobe ColdFusion is a commercial rapid web application development computing platform that connects simple HTML pages to a database.
Adobe has addressed authentication bypass vulnerability CVE-2023-29298 in its July Patch Tuesday Edition. The exploit reports started coming out on July 13. The reports showed that an arbitrary code execution vulnerability, CVE-2023-38203, was used with CVE-2023-29298 in attacks to drop webshell on target Adobe ColdFusion installations.
Some reports had demonstrated that the behavior of the attack resonates with a zero-day exploit (CVE-2023-29300) that Project Discovery released around July 12 and later removed.
CVE-2023-29300 is a deserialization vulnerability addressed in the Adobe July Patch Tuesday edition. The vulnerability allowed attackers to perform arbitrary code execution on target systems. Project Discovery published a blog post on July 12 with a proof-of-concept exploit for CVE-2023-29300. After this blog post, Adobe released an out-of-band update to fix the vulnerability on July 14.
The Project Discovery analysis found that the vulnerability originated from insecure deserialization in the WDDX library. The issue occurs when an unsafe Java Reflection API is used that allows the call of specific methods.
To prevent the deserialization of WDDX data, Adobe implemented a denylist of Java class paths that cannot be deserialized (so an attacker cannot specify a deserialization gadget located in these class paths). Adobe is probably unable to remove this WDDX functionality altogether because doing so would break everything that depends on it.
Project Discovery used a gadget based on the class com.sun.rowset.JdbcRowSetImpl to exploit the vulnerability. This class was not on Adobe’s denylist; therefore, it can be used as a deserialization gadget to perform remote code execution.
In the out-of-band patch for CVE-2023-38203, Adobe added one more class path !com.sun.rowset.** to the denylist.
Affected versions
The following versions of ColdFusion are vulnerable to both CVE-2023-29298 and CVE-2023-38203:
- Adobe ColdFusion 2023 Update 1 and earlier
- Adobe ColdFusion 2021 Update 7 and earlier
- Adobe ColdFusion 2018 Update 17 and earlier
Mitigation
Customers must upgrade to the following versions of Adobe ColdFusion vulnerabilities to patch CVE-2023-38203:
- Adobe ColdFusion 2023 Update 2
- Adobe ColdFusion 2021 Update 8
- Adobe ColdFusion 2018 Update 18
For more information, please refer to the Adobe Security Advisories on APSB23-40 and APSB23-41.
Qualys Detection
Qualys customers can scan their devices with QIDs 378671, 730842, and 378663 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html
https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html
https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/