Contents:
On March 15, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a new vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The said vulnerability impacts Adobe ColdFusion and is actively exploited by threat actors.
Details on the Vulnerability
The flaw in question is CVE-2023-26360, with a CVSS score of 8.6. The vulnerability can be exploited by threat actors to achieve arbitrary code execution.
Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution,
CISA
The vulnerability affects ColdFusion 2021 and ColdFusion 2018 (Update 15 and previous versions) (Update 5 and earlier versions). Versions Update 16 and Update 6, both issued on March 14, 2023, both address it.
It is worth noting that the flaw also affects ColdFusion 2016 and ColdFusion 11, both of which are no longer supported by the software company.
Adobe said in a security advisory issued Tuesday that the vulnerability has been exploited in “very limited attacks”.
Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.
Adobe (Source)
CISA Researchers Tag the Vulnerability as Urgent
As mentioned in the binding operational directive (BOD 22-01), federal agencies have three weeks, until April 5, to secure their systems against potential attacks using the vulnerability. CISA also strongly recommends all organizations to patch their systems against the flaw.
Charlie Arehart, the security researcher credited alongside Pete Freitag for discovering the vulnerability describes it as a “grave” issue that could result in “arbitrary code execution” and “arbitrary file system read”.
I will say that in my own opinion this security fix is far more important than the wording of this blog post suggests and even that the update technotes would suggest.
Charlie Arehart (Source)
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.