Summary:
Adobe has released some emergency security updates to address a critical ColdFusion vulnerability with proof-of-concept (PoC) exploit code. The company released an advisory on Monday, December 23, 2024, stating that the flaw, tracked as CVE-2024-53961 is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers. Adobe is aware of the PoC released and stated this vulnerability has been assigned a “Priority 1” severity due to its high chance of being targeted and exploited in the wild. Despite this recommendation, Adobe has not disclosed whether this flaw has been leveraged in the wild yet. Adobe advises customers to review its updated serial filter documentation for more information on blocking insecure Wddx deserialization attacks. Despite its high attack complexity, CVE-2024-53961 does not require user interaction or privileges to be exploited. There’s no direct impact on system availability, but the potential damage to confidentiality and integrity is significant as it could lead to unauthorized access to sensitive files.

Security Officer Comments:
This sudden development comes as CISA urged software companies in May 2024 to weed out path traversal security bugs before shipping their products as they provide easy attack paths for adversaries to access sensitive credentials and data potentially for future brute-force attempts. Last year, CISA flagged two critical flaws in Adobe ColdFusion, and government agencies were mandated to secure their ColdFusion servers. In the past, adversaries have utilized ColdFusion vulnerabilities to breach outdated government servers for months, highlighting the targeted nature of attacks like these as well as the importance of prioritizing vulnerabilities for an organization’s patch management system based on their potential impact on confidentiality, integrity, and availability of data.

Suggested Corrections:

• Restrict access to systems and applications known to be vulnerable by limiting user permissions and implementing least privilege principles.
• Consider temporarily disabling affected functionalities if possible.
• Increase network monitoring for suspicious activity related to the vulnerable system, including unusual traffic patterns or attempts to exploit the vulnerability.
• Implement intrusion detection and prevention systems (IDS/IPS) to identify potential exploitation attempts.
• Review and activate your incident response plan to be prepared to handle a potential security breach related to the vulnerability.

Adobe advises administrators to install yesterday's emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12) as soon as possible, "for example, within 72 hours," and apply security configuration settings outlined in the ColdFusion 2023 and ColdFusion 2021 lockdown guides.

Link(s):
https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-bug-with-poc-exploit-code/

https://helpx.adobe.com/security/products/coldfusion/apsb24-107.html