Cyber Security Threat Summary:
Adobe recently published an emergency ColdFusion security update that addressed several vulnerabilities, including a new zero-day that was exploited in attacks in the wild. The zero-day tracked as CVE-2023-38205 is being described as an instance of improper access control that could result in a security bypass. Two other flaws were addressed, one of which was rated critical in severity while the other was rated medium in severity. The most severe of the issues is being tracked as CVE-2023-38204 and relates to a deserialization bug that could lead to remote code execution. The other flaw tracked as CVE-2023-38206, relates to an improper access control bug, which could also lead to a security bypass.

CVE-2023-38205, CVE-2023-38204, and CVE-2023-38206 impact the following versions:

• ColdFusion 2023 (Update 2 and earlier versions)
• C oldFusion 2021 (Update 8 and earlier versions), and
• ColdFusion 2018 (Update 18 and earlier versions)

They have been addressed with the release of:

• ColdFusion 2023 (Update 3)
• ColdFusion 2021 (Update 9)
• ColdFusion 2018 (Update 19)

Security Officer Comments:
Adobe says CVE-2023-38205 was exploited in limited attacks but no other details were disclosed. According to cybersecurity firm Rapid7, the flaw is a bypass for a fix that Adobe released for CVE-2023-29298, an authentication bypass impacting ColdFusion. Furthermore, Rapid7 researchers on July 13th, observed CVE-2023-29298 being chained together with CVE-2023-29300/CVE-2023-38203 by threat actors to install web shells on vulnerable ColdFusion servers, in turn allowing the attackers to gain remote access to the targeted devices.

Suggested Correction(s):
Adobe ColdFusion users should ensure their installations are up to date to prevent potential exploitation attempts. Source:

Link(s):
https://www.bleepingcomputer.com/