Adobe Patches Critical Deserialization Vulnerability, but Exploits Persist
The vulnerability was being exploited in the wild, targeting two versions of Adobe ColdFusion.
CISA has added a vulnerability — cataloged as CVE-2023-26359 — to the Known Exploited Vulnerabilities Catalog with a CVSS score of 9.8 due to active exploitation.
The vulnerability is a deserialization flaw affecting Adobe ColdFusion 2018 (Update 15 and earlier) and Adobe ColdFusion 2021 (Update 5 and earlier) and has the potential to result in arbitrary code execution.
Serialization turns an object into a data format that can eventually be restored later, like with JSON and XML and their serialized data. Deserialization is the reverse of this process where data structured in some format is rebuilt into an object. When deserialization occurs without validating a trusted source, it can lead to denial of service or code execution.
These vulnerabilities, which are considered critical and important, and could lead to memory leaks, were patched in March. It is unclear how the flaw is being exploited in the wild, but Adobe states that this is only occurring "in very limited attacks."
Because of this active exploitation, Federal Civilian Executive Branch (FCEB) agencies have a Sept. 11 deadline to apply these patches and protect against potential threats.
Adobe recommends that customers apply the security configuration settings "as outlined on the ColdFusion Security page as well as review the respective Lockdown guides." It also recommends "updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11." This is because applying the ColdFusion update without a corresponding JDK update will not allow for a secure server.
Adobe credits Patrick Vares for reporting the issues related to vulnerability CVE-2023-26359.
About the Author
You May Also Like
A Cyber Pros' Guide to Navigating Emerging Privacy Regulation
Dec 10, 2024Identifying the Cybersecurity Metrics that Actually Matter
Dec 11, 2024The Current State of AI Adoption in Cybersecurity, Including its Opportunities
Dec 12, 2024Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024