Headline
CVE-2023-44355: Adobe Security Bulletin
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to impact a minor integrity feature. Exploitation of this issue does require user interaction.
Security updates available for Adobe ColdFusion | APSB23-52
Adobe has released security updates for ColdFusion versions 2023 and 2021. These updates resolve critical, important and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass.
Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:
Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers:
Brian Reilly - CVE-2023-44350, CVE-2023-44355
Daniel Jensen - CVE-2023-44351
pwnii (pwnwithlove) - CVE-2023-44352
McCaulay Hudson - CVE-2023-44353
Matthew Galligan and Jon Cagan, CISA - CVE-2023-26347
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
ColdFusion JDK Requirement
COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers
On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**" in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**"
in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
For more information, visit https://helpx.adobe.com/security.html , or email [email protected]