On July 11, 2023, Adobe released the security bulletin APSB23-40 containing links to security updates for ColdFusion 2023, 2021, and 2018. According to Adobe, these updates resolve "critical" and "important" vulnerabilities that could lead to arbitrary code execution and security feature bypass. CF Webtools updates its and its customer's non-production servers first (staging/testing/etc.) before patching production to test for any breaking changes or bugs. So far, as of July 13, we have heard good reports from the community about this update. You may run into a vulnerability scanner reporting on the "log4j" issue in the backup folder. We recommend offloading that backup folder to an "offline" location to prevent this.

Addressed Common Vulnerabilities and Exposures (CVE)

CVE-2023-29298: Adobe ColdFusion Access Control Bypass (Critical)

Reported on April 11th, 2023 by Stephen Fewer, Principal Security Researcher at Rapid7, and disclosed to the public on July 11th, 2023.

This CVE addresses a vulnerability affecting the ability to restrict external access to the ColdFusion Administrator via an IP whitelist. The vulnerability allows access to the ColdFusion Administrator endpoints by inserting an unexpected additional forward slash character in the requested URL. This includes every CFM and CFC within the /CFIDE path. This feature is

enabled either in the ColdFusion Administrator or by enabling "Production Profile + Secure Profile".

This vulnerability affects:

• Adobe ColdFusion 2023

• Adobe ColdFusion 2021 Update 6 and below

• Adobe ColdFusion 2018 Update 16 and below

CF Webtools additionally recommends filtering the /CFIDE path from public access using the web server's configuration.

This reduces the attack surface to just the webserver instead of the ColdFusion server. To access the ColdFusion Administrator, you would use the ColdFusion "internal webserver" port, such as 8500, to gain access. With this setup, this vulnerability is much less relevant. As Adobe ColdFusion 2016 and prior may have the same vulnerability, it is important to have web server filtering in place for those versions if you are still running them.

In IIS, use URL "Request Filtering" and deny /CFIDE. In Apache HTTPD, you would use the Location setting to deny it. In earlier versions of ColdFusion, you would need to explicitly deny individual files and folders located in CFIDE as specific files, such as GraphData.cfm, were used to render charts. If you open up the ColdFusion port (i.e., 8500) to the Internet directly or wish to protect against potential malicious internal traffic, you would need to use the IP whitelisting feature of ColdFusion Administrator. Other services, such as reverse proxies and NGINX, need filter settings configured.

CVE-2023-29300: Deserialization of Untrusted Data (Critical)

Reported by Nicolas Zilio (CrowdStrike)

According to mitre.org, attackers can modify unexpected objects or data that was assumed to be safe from modification during data deserialization. One potential risk is that arbitrary malicious code may be executed.

CVE-2023-29301: Improper Restriction of Excessive Authentication Attempts (Important)

Reported by Brian Reilly

The reporter, Brian, tweets on June 11, 2023 that "more info to come".

JVM Updates

The security bulletin states: "Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server." This wording is tricky, and according to RaviShankar Chagnur and Mark Takata, DO NOT UPDATE TO JVM 17 for use with ColdFusion 2021 or 2018. These versions will NOT support it. The key phrase here is "where applicable". Both 2021 and 2018 only support JVM 11.

However, do be sure to update your JDK to 17.0.7 on 2023 and JDK 11.0.19 on 2021 and 2018. Per Adobe, applying the ColdFusion update without a corresponding JDK update will NOT secure the server.

Each Tech Note (KB) page references JVM flag changes. This is NOT for installations that were completed as a standalone installation, which is very common. This is ONLY for those who have deployed ColdFusion CF as a WAR or EAR on a JEE server, like Tomcat, WebLogic, or Wildfly.

Other Notes

In the original 2021 U7 Tech Note / KB, it stated: "Note: If you've created a mapping of the cf_scripts folder, you must copy the contents of the downloaded zip into CF_SCRIPTS/scripts/ajax folder to download the ajax package." We have reached out to the community discussions for answers on this. While we have not received a response on this, it has now been removed from the Tech Note / KB.

No connector configuration is required for this update. After applying this update, you must reinstall any custom hotfixes that might have been applied earlier.

We do recommend a manual patch as opposed to using the UI. Additionally, we recommend clearing your cfclasses folder and clearing your CFC cache. These steps have been found to prevent issues that have arisen with other updates over time.

Resources

• ColdFusion 2018 Update 17 Tech Note

• ColdFusion 2018 Auto-Lockdown Guide

• ColdFusion 2021 Update 7 Tech Note

• ColdFusion 2021 Lockdown Guide

• ColdFusion 2023 Update 1 Tech Note

• ColdFusion 2023 Lockdown Guide

• Adobe Support Community Discussion: LIVE! ColdFusion 2023, 2021, and 2018 July 2023 Security Updates

Update Sources

Note: For all three versions, Adobe instructs you also to download the current "Server Auto-Lockdown" tool and apply it. It can be downloaded from the "Download ColdFusion" page. As of July 11, 2023, it is unclear what this new version corrects.

• 2023 Update 1

  • AWS ECR: public.ecr.aws/adobe/coldfusion:latest-2023

  • CommandBox CF Containers: docker pull ortussolutions/commandbox:adobe2023-3.7.8

  • CommandBox CF Engine: v2023.0.1+330480

  • Docker: docker pull adobecoldfusion/coldfusion2023:2023.0.1

  • JAR: hotfix-001-330480.jar

  • Java SE 17.0.7: Java SE 17.0.7

• 2021 Update 7

  • AWS ECR: public.ecr.aws/adobe/coldfusion:latest-2021

  • CommandBox CF Containers: docker pull ortussolutions/commandbox:adobe2021-3.7.8

  • CommandBox CF Engine: 2021.0.7+330142

  • Docker: docker pull adobecoldfusion/coldfusion2021:2021.0.7

  • JAR: hotfix-007-330142.jar

  • Java SE 11.0.19: Java SE 11.0.19

• 2018 Update 17

  • AWS ECR: public.ecr.aws/adobe/coldfusion:latest-2018

  • CommandBox CF Containers: docker pull ortussolutions/commandbox:adobe2018-3.7.8

  • CommandBox CF Engine: 2018.0.17+330143

  • Docker: docker pull adobecoldfusion/coldfusion2018:2018.0.17

  • JAR: hotfix-017-330143.jar

  • Java SE 11.0.19: Java SE 11.0.19

Help Me

CF Webtools is here to help you with updating or troubleshooting your Adobe ColdFusion server. We are a proud Adobe ColdFusion Development Partner. Call us at (402) 408-3733 or email us at sales@cfwebtools.com for assistance. More information can be found on our website at cfwebtools.com.