Adobe Resolves Coldfusion Patch Bypass For Exploited Flaw
Adobe has recently released an emergency security update for its ColdFusion software, addressing critical vulnerabilities, including a zero-day exploit. The update focuses on resolving three vulnerabilities, with the most severe being CVE-2023-38204, a remote code execution bug that has not yet been observed in real-world attacks.
Another vulnerability, CVE-2023-38205, was found to have been exploited in limited attacks and serves as a patch bypass for CVE-2023-29298. This latter flaw, discovered by researchers at Rapid7, is an authentication bypass within ColdFusion that has been actively exploited by malicious actors to install webshells. While Rapid7 has identified an incomplete fix for CVE-2023-29298, Adobe has confirmed its inclusion in the APSB23-47 update as the CVE-2023-38205 patch.
Consequently, website operators are strongly advised to promptly install the update to safeguard their ColdFusion servers.
It is worth noting that this development coincides with other security updates, such as Microsoft's Patch Tuesday alert regarding six zero-day vulnerabilities and 132 flaws, as well as Android's July security updates aimed at addressing actively exploited bugs.
What is the Flaw?
The flaw, identified as CVE-2023-29298, is an authentication bypass vulnerability in Adobe ColdFusion that was discovered by Rapid7 researchers and has been actively exploited in attacks on ColdFusion servers.
Attackers have been able to chain exploits for CVE-2023-29298 with other vulnerabilities to install webshells on compromised servers.
The severity of this flaw has prompted Adobe to release an emergency security update to fix the issue. However, Rapid7 researchers have determined that the fix for CVE-2023-29298 included in the update is incomplete.
This means that website operators using ColdFusion servers are urged to promptly install the update to mitigate the risk of exploitation.
It is essential to address this flaw as it poses a significant threat to the security and integrity of ColdFusion servers.
Fixed Vulnerabilities
Three vulnerabilities have been addressed and fixed in the Adobe ColdFusion security update. Among these vulnerabilities, one is a remote code execution bug with a severity rating of 9.8. Fortunately, this particular bug was not exploited in the wild.
Another vulnerability, with a severity rating of 7.8, was abused in limited attacks. The third vulnerability is a patch bypass for a previously discovered flaw, CVE-2023-29298. This patch bypass issue allowed attackers to chain exploits and install webshells on affected systems.
It is worth noting that the fix for CVE-2023-29298 was determined to be incomplete by Rapid7 researchers. Adobe has confirmed that the fix for CVE-2023-29298 is included in the APSB23-47 update as the CVE-2023-38205 patch.
Website operators are strongly advised to promptly install the security update to protect their ColdFusion servers.
CVE-2023-29298 Attack
Discovered by Rapid7 researchers, CVE-2023-29298 was actively exploited by attackers to gain unauthorized access to ColdFusion servers. Attackers utilized exploits for CVE-2023-29298 and other vulnerabilities to install webshells, allowing them to execute arbitrary code and potentially take control of the affected servers. This critical flaw allowed for the bypassing of ColdFusion authentication, enabling attackers to bypass security measures and gain unauthorized access. The severity of the exploit is evident from the fact that Adobe confirmed its inclusion in the APSB23-47 security update as the CVE-2023-38205 patch. Website operators were strongly urged to promptly install the update to mitigate the risk of exploitation.
| Vulnerability | Rating | Exploitation Status |
| CVE-2023-29298 | Unknown | Actively exploited |
Frequently Asked Questions
How did Adobe discover the patch bypass for the exploited ColdFusion flaw?
The patch bypass for the exploited ColdFusion flaw was discovered by Adobe themselves. They identified the issue during their investigation into the vulnerability and confirmed it as part of the fix for CVE-2023-29298.
Are there any known cases of the CVE-2023-38204 vulnerability being exploited in the wild?
There is no evidence of the CVE-2023-38204 vulnerability being exploited in the wild. It is a remote code execution bug that was fixed by Adobe in an emergency ColdFusion security update.
What actions are recommended for website operators who are using ColdFusion servers?
Website operators using ColdFusion servers are recommended to install the emergency security update promptly. This update fixes critical vulnerabilities, including a zero-day exploit, and addresses the CVE-2023-29298 flaw actively exploited in attacks.
Can you provide more details about the six zero-day vulnerabilities mentioned in Microsoft's July 2023 Patch Tuesday?
Microsoft's July 2023 Patch Tuesday disclosed the presence of six zero-day vulnerabilities, along with 132 other flaws. However, the details regarding these specific zero-day vulnerabilities have not been provided in the given context.
Besides the ColdFusion vulnerabilities, what other security updates were released in July 2023 by Microsoft and Android?
In July 2023, Microsoft released security updates warning of 6 zero-day vulnerabilities and addressing 132 flaws. Android also released security updates fixing three actively exploited bugs, including a Mali GPU bug exploited as a zero-day.