Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-26361: Adobe Security Bulletin

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges.

CVE
#vulnerability#web#apache#java

Security updates available for Adobe ColdFusion | APSB23-25

Adobe has released security updates for ColdFusion versions 2021 and 2018. These updates resolve critical and important  vulnerabilities that could lead to arbitrary code execution and memory leak.

Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server. See the relevant Tech Notes for more details.

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.

  • ColdFusion 2018 Auto-Lockdown guide
  • ColdFusion 2021 Lockdown Guide

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

  • Patrick Vares (ELS-PHI) - CVE-2023-26359

  • Charlie Arehart and Pete Freitag - CVE-2023-26360

  • Dusan Stevanovic of Trend Micro - CVE-2023-26361

ColdFusion JDK Requirement

COLDFUSION 2021 (version 2021.0.0.323925) and above

For Application Servers

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**", in the respective startup file depending on the type of Application Server being used.

For example:

Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file

WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file

WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.

COLDFUSION 2018 HF1 and above

For Application Servers

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**", in the respective startup file depending on the type of Application Server being used.

For example:

Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file

WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file

WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.

March 14, 2023: Vulnerability Impact revised for CVE-2023-26360

For more information, visit https://helpx.adobe.com/security.html , or email [email protected]

Related news

Chinese-Speaking Hacker Group Targets Human Rights Studies in Middle East

Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023. "Sighting this group's [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them," Kaspersky

Adobe ColdFusion 2018,15 / 2021,5 Arbitrary File Read

Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.

Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers

By Deeba Ahmed CISA Warns of Critical Adobe ColdFusion Vulnerability Actively Exploited by Threat Actors. This is a post from HackRead.com Read the original post: Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers

Adobe Coldfusion vulnerability used in attacks on government servers

CISA has published an advisory about a vulnerability in Adobe Coldfusion used in two attacks against federal agencies.

Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers. "The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution,"

Adobe ColdFusion vulnerability exploited in the wild

Categories: Exploits and vulnerabilities Categories: News Tags: Adobe Tags: ColdFusion Tags: CVE-2023-26359 Tags: CVE-2023-26360 Tags: critical Tags: known exploited Tags: deserialization A second Adobe ColdFusion vulnerability that was patched in April has been added to CISA's known exploited vulnerabilities catalog. (Read more...) The post Adobe ColdFusion vulnerability exploited in the wild appeared first on Malwarebytes Labs.

Critical Adobe ColdFusion Flaw Added to CISA's Exploited Vulnerability Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (

Adobe ColdFusion Unauthenticated Remote Code Execution

This Metasploit module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to gain remote code execution.

CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution. "Adobe ColdFusion

Update now! Microsoft fixes two zero-day bugs

Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907