Once again Adobe has to distribute updates for its Adobe Coldfusion software. They should close three security gaps. One of these has already been exploited in some attacks on systems running Adobe Coldfusion, the company said. The updates are available for Coldfusion 2018, 2021 and 2023 and all come with the highest priority level. With this prioritization, Adobe advises IT managers to install the updates as soon as possible.
Advertisement
Just a few days ago, Adobe released a patch for Coldfusion outside of the usual update schedule. This involved errors in the deserialization of untrustworthy data (CVE-2023-38203, CVSS 9.8, risk “critical”). Now follow fixes for the bugs CVE-2023-38204, CVE-2023-3820r and CVE-2023-38206. CVE-2023-38204 allows arbitrary software code to run on the device. This gap is considered “critical” and scores 9.8 on the Common Vulnerability Scoring System (CVSS). The scale goes up to ten.
The other two bugs allow attackers to circumvent security measures. CVE-2023-38205 is also “critical”, with CVSS 7.5 – this vulnerability is the one that Adobe is aware of and reports as already being actively exploited. CVE-2023-38206 is considered “moderately” dangerous and has a CVSS score of 5.3.
If you patch quickly, you patch twice
However, since Adobe has given all three vulnerabilities a Priority 1 rating, there is a high probability that all three are already being or will soon be exploited in the wild. The company also recommends following the security recommendations and lockdown guides for each Coldfusion version. Coldfusion is a Java application server that creates interactive web applications. There are Standard and Enterprise variants.
Adobe provides the update instructions with links and further information separately for each individual version:
Advertisement
(ds)