Adobe Releases Patches for Critical ColdFusion Vulnerabilities

• Adobe addresses multiple vulnerabilities in its ColdFusion platform, releasing a series of critical patches. The updates come after cyber-attacks exploited known flaws, with cybersecurity firm Rapid7 highlighting concerns. Users are advised to update promptly for optimal software security

In light of recently disclosed vulnerabilities, Adobe has issued a second series of patches for its ColdFusion platform, which includes flaws believed to have been exploited in cyber-attacks.

On July 11, Adobe addressed CVE-2023-29298, an access control problem that could bypass security features. Three days later, the company rolled out fixes for CVE-2023-38203, a deserialization flaw posing risks of arbitrary code execution. Shortly after these announcements, cybersecurity enterprise Rapid7 detected attack attempts on ColdFusion users. Intriguingly, their analysis found that the cyber adversaries leveraged CVE-2023-29298, potentially in combination with CVE-2023-38203.

Rapid7 has since voiced concerns about Adobe’s patch for CVE-2023-29298, calling it insufficient and easily sidestepped.

Fast forward to July 19, and Adobe broadcasted another update for ColdFusion to address three additional CVEs. Notably, CVE-2023-38205, which acts as a workaround to CVE-2023-29298, has been exploited in select cyber-attacks. While ‘limited attacks’ often indicate state-backed entities launching specific campaigns, the history of ColdFusion vulnerabilities suggests that profit-motivated cybercrime factions also exploit them.

The exploitation of CVE-2023-38203 in real-world attacks remains unconfirmed by Adobe. This flaw was jointly reported to the software giant by multiple entities, including the open-source security firm, ProjectDiscovery. On July 12, ProjectDiscovery unintentionally revealed CVE-2023-38203, which was unpatched at the time, during their analysis of another ColdFusion flaw, CVE-2023-29300. Two days later, Adobe provided the necessary patches. However, upon review, ProjectDiscovery deduced that Adobe’s fix for CVE-2023-38203 wasn’t comprehensive. The recent ColdFusion patch, CVE-2023-38204, is believed to address this oversight.

On the same day, Adobe also unveiled a solution for CVE-2023-38206, identified by researcher Brian Reilly. Reilly has previously been acknowledged by Adobe for identifying another ColdFusion vulnerability, CVE-2023-29301, suggesting the two issues may be closely linked.

• CVE-2023-29298: This vulnerability is an access control problem that could bypass security features. It was first disclosed on July 11, 2023, and Adobe released a patch for it on July 14, 2023. However, Rapid7 has since voiced concerns about the patch, calling it insufficient and easily sidestepped.
• CVE-2023-38203: This vulnerability is a deserialization flaw posing risks of arbitrary code execution. It was first disclosed on July 14, 2023, and Adobe released a patch for it on July 16, 2023. However, ProjectDiscovery has since deduced that Adobe’s fix for this vulnerability wasn’t comprehensive. The recent ColdFusion patch, CVE-2023-38204, is believed to address this oversight.
• CVE-2023-38205: This vulnerability acts as a workaround to CVE-2023-29298. It was first disclosed on July 19, 2023, and Adobe released a patch for it on the same day. This vulnerability has been exploited in select cyber-attacks.
• CVE-2023-38206: This vulnerability was identified by researcher Brian Reilly. It was first disclosed on July 19, 2023, and Adobe released a patch for it on the same day.