Adobe Issues a Third set of Patches in a week for Actively Exploited ColdFusion Issues
Take action: Another patch fatigue moment in the IT industry. If you manage ColdFusion servers, you don't have too many options other than patching the patch of the patch. It may be wise to consider whether you want to continue using these tools long term, and whether the investment in moving to something else is less than the current unfortunate state of ColdFusion security.
Learn More
Adobe has issued another emergency security update for its ColdFusion software, aiming to fix critical vulnerabilities, one of which has already been exploited in limited attacks.
The update addresses three vulnerabilities:
- CVE-2023-38204 (CVSS score 9.8) - a remote code execution bug
- CVE-2023-38205 (CVSS score 7.8) - Improper Access Control issue. This flaw was abused in limited attacks.
- CVE-2023-38206 (CVSS score 5.3) - moderate Improper Access Control flaw
The CVE-2023-38205 flaw is a bypass for the incomplete patch issued for a previously discovered ColdFusion authentication bypass vulnerability CVE-2023-29298.
On July 17th, security searchers found that the fix provided by Adobe for CVE-2023-29298 was incomplete, allowing a trivially modified exploit to still work on the latest version of ColdFusion. This led to the new emergency update.
The fix for CVE-2023-29298 is included in the update (APSB23-47) under the CVE-2023-38205 patch.
