Subj : Adobe releases emergency patch for ColdFusion vulnerability
To   : All
From : TechnologyDaily
Date : Thu Jul 20 2023 15:30:03

Adobe releases emergency patch for ColdFusion vulnerability

Date:
Thu, 20 Jul 2023 14:21:26 +0000

Description:
Three ColdFusion vulnerabilities were addressed by Adobe, including a 
zero-day being abused in the wild.

FULL STORY
======================================================================

Adobe has released a patch to fix three vulnerabilities found in its 
ColdFusion commercial rapid web-application development computing platform. 
Of the three vulnerabilities, one is a zero-day, while another one was being 
actively exploited in the wild. 

As per a report on BleepingComputer , the three vulnerabilities in question 
are tracked as CVE-2023-38204 (critical RCE with a 9.8 severity score), 
CVE-2023-38205 (critical Improper Access Control flaw with a 7.8 severity 
score) and CEV-2023-38206 (moderate Improper Access Control with a 5.3 
severity score). 

Despite CVE-2023-38204 being critical, thats not the one being used by 
hackers. Its CVE-2023-38205, the critical Improper Access Control Flaw that 
Adobe saw being leveraged by threat actors.
 Addressing a bypass 

"Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited 
attacks targeting Adobe ColdFusion," the company said in a security advisory. 

The CVE-2023-38205 flaw is a patch bypass for the fix for CVE-2023-29298, 
BleepingComputer further explained. This is a ColdFusion authentication 
bypass that was discovered by Rapid7 some two weeks ago. Read more 

> Patch Adobe Reader now or risk a major security attack 


 > Adobe scrambled to deliver urgent patches for bugs in Photoshop, Bridge, 
Prelude 


 > Here's our rundown of the best malware removal right now 

In mid-July, cybersecurity researchers from Rapid7 saw threat actors using 
multiple vulnerabilities to install webshells on ColdFusion servers. These 
webshells gave them remote access to vulnerable endpoints . While Adobe was 
quick to release a patch, Rapid7 said it could be worked around: 

"Rapid7 researchers determined on Monday, July 17 that the fix Adobe provided 
for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified 
exploit still works against the latest version of ColdFusion (released July 
14)," the researchers said. 

"We have notified Adobe that their patch is incomplete." 

Now, Adobe confirmed to the media that it included a fix for CVE-2023-29298 
in its latest patch. 

Given the fact that the company observed the flaw being used by hackers, 
users are strongly advised to patch their endpoints immediately. Check out 
the best firewalls right now 

Via: BleepingComputer



======================================================================
Link to news story:
https://www.techradar.com/pro/adobe-releases-emergency-patch-for-coldfusion-vu
lnerability


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.