CVE-2023-26360 – A critical zero-day flaw in Adobe ColdFusion
Adobe’s March security updates addressed an impressive 105 CVEs across various products, including Photoshop, Experience Manager, Dimension, Commerce, Substance 3D Stager, Cloud Desktop Application, and Illustrator. Among these, a zero-day vulnerability in Adobe ColdFusion stands out due to its critical nature and active exploitation.
Adobe ColdFusion Under Fire
The March security patch for Adobe ColdFusion addresses three vulnerabilities, including a critical-rated code execution bug with a CVSS score of 9.8. Adobe has assigned a deployment priority of 1 for this patch, emphasizing the severity of the issue. These vulnerabilities could lead to arbitrary code execution and memory leaks, putting ColdFusion users at risk.
CVE-2023-26359 – CVE-2023-26360: Arbitrary code execution Vulnerabilities
The most significant vulnerability, CVE-2023-26359, is a critical deserialization of untrusted data issue in Adobe ColdFusion. This flaw can lead to arbitrary code execution, making it a high-priority target for attackers. Software giant Adobe released security updates for ColdFusion versions 2021 and 2018 to resolve this critical flaw, tracked as CVE-2023-26360 (CVSS base score 8.6), which was exploited in very limited attacks.
“Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion,” Adobe wrote.
CVE-2023-26361: Memory Leak
Another vulnerability, CVE-2023-26361 (CVSS base score 4.9), is characterized by the improper limitation of a pathname to a restricted directory (‘Path Traversal’), which can result in memory leaks. This less severe vulnerability highlights the importance of thorough security audits and patching all identified issues.
Other Adobe Product Patches
Apart from ColdFusion, Adobe’s March security updates include patches for several other products. The Dimension patch stands out as it addresses nearly 60 CVEs, while the Substance 3D Stager patch fixes 16 bugs, many of which could lead to arbitrary code execution. Experience Manager, Commerce, Photoshop, and Illustrator also received patches to fix various issues, including cross-site scripting (XSS), open redirects, and unauthenticated file system reads.
Update your software
The zero-day vulnerability in Adobe ColdFusion is a stark reminder of the importance of staying vigilant and keeping software up-to-date. With the potential for arbitrary code execution and memory leaks, users must prioritize applying the latest security updates to safeguard their systems. As with any software, always ensure you are running the latest version and have applied all available security patches to minimize the risk of exploitation.