Legend

Question

ColdFusion zero day exploit?

Forum|Forum|7 years ago
February 13, 2019
2 replies
1070 views

(Raises hand)

Can anyone, here, tell me about the most recently discovered CF zero day exploit?

I'm not an admin, but I've been coding CF since late 2000 and am curious about what is known about this most recent exploit.

V/r,

^ _ ^

This topic has been closed for replies.

pete_freitag

Participating Frequently

Are you talking about this: Adobe Security Bulletin APSB19-10 ?

If so that is not technically a zero-day unless it was being exploited before the patch was released, I didn't hear that was the case, but maybe you heard something I didn't.

I found one of those vulnerabilities in the hotfix, so I do know the details of it, but I don't usually post details publicly (even when patches exist). Feel free to email me, my first name (4 letters) at foundeo.com

WolfShadeAuthor

Legend

I cannot say with authority as to what specific vulnerability, but the tech who mentioned it to me, yesterday, did mention something about deserialization, so the link you provided could be it. Thank you for the link. I'll cross-reference those CVE numbers to the database link that Dave provided and get the details on them.

Thanks for the link.

V/r,

^ _ ^

D

Dave Watts

Community Expert

I don't really follow CF exploits that closely, but the last one I remember is one that allows file uploading through CKEditor. Rich-text editors are just generally more likely to be vulnerable to all sorts of stuff because of the complexity of what they do. My recommendation would just be to keep untrusted users away from being able to even access rich-text editors. This is done through network access controls and user authentication/authorization.

Dave Watts, Eidolon LLC

WolfShadeAuthor

Legend

Hi, Dave,

We already strip out all HTML in any user input forms we have. But I heard that a new zero day exploit in CF was announced, this morning, and I'm trying to learn about it.

V/r,

^ _ ^

D

Dave Watts

Community Expert

Well, stripping out HTML from user input might not be enough if a malicious user can upload a file via MIME, and again a lot of the CF vulnerabilities I've seen have actually been CKEditor vulnerabilities. But taking a look at the Adobe security bulletin, it tells me there are four CVE numbers for arbitrary code execution due to deserialization of untrusted data, and that could come from any incoming request I suspect. That's always a bad thing. There are also CVE numbers for arbitrary code execution via unrestricted file upload (like I described with CKEditor but I suppose it could be something else) and arbitrary file overwrite via "use of a component with a known vulnerability". Those are all critical vulnerabilities, but there are a couple more important and moderate vulnerabilities there as well.

Each of these has a CVE number, and you can look them up in the CVE database:

CVE -Common Vulnerabilities and Exposures (CVE)

From there, there are typically links to other sites to tell you more about the specific vulnerability in question. That said, they don't usually give you a sample exploit or anything like that, they just describe the problem in more detail sometimes.

It looks like a lot of them may require an update to the JVM, so perhaps some of the vulnerabilities are themselves in the older JVMs.

Finally, in a properly configured environment, you may find that these vulnerabilities don't affect you. The best way to get to that properly configured environment generally is to follow the lockdown guides from Adobe. The auto-lockdown feature in CF 2018 has had some problems, so you might not want to go that way, but you'll find that most of the lockdown information in the previous guide for CF 2016 is still useful.

Dave Watts, Eidolon LLC

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded