An alert posted by the Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday reported that Adobe has released security updates to address critical zero-day vulnerabilities affecting some its ColdFusion web development products.
CISA said an attacker can exploit the vulnerabilities to take remote control of an affected system. As of July 18, CISA encourages users and administrators to review the Adobe security release APSB23-41 and apply the necessary updates.
The vulnerability affected the following versions of the Adobe products: ColdFusion 2018, Update 17 and earlier versions; ColdFusion 2021, Update 7 and earlier versions; and ColdFusion 2023, Update 1 and earlier versions.
John Bambenek, principal threat hunter at Netenrich, pointed out that Adobe released two advisories in quick succession over the past week: 23-40 for CVE-2023-29298 and 23-41 for CVE-2023-38203.
“Unfortunately, due to some conflicting messages between various companies, the water is a little muddied,” said Bambenek. “However, the latest update to ColdFusion will cover all the disclosed vulnerabilities and should be applied with urgency.”
Bambenek’s comments were confirmed in a blog July 17 by Rapid7 researchers, who determined that the fix Adobe provided for CVE-2023-29298 on July 11 was incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion released July 14.
The Rapid7 researchers notified Adobe that their patch was incomplete. While there’s currently no mitigation for CVE-2023-29298, the Rapid7 researchers said updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior its team had observed.
Timothy Morris, chief security advisor at Tanium, also confirmed Bambenek's contention that APSB23-41 would supersede APSB23-40, and cover the various vulnerabilities: CVE-2023-29298, CVE-2023-29300, CVE-2023-29301, and CVE-2023-38203.