ColdFusion zero day exploit?

Hi, Dave,

We already strip out all HTML in any user input forms we have.  But I heard that a new zero day exploit in CF was announced, this morning, and I'm trying to learn about it.

V/r,

^ _ ^

Well, stripping out HTML from user input might not be enough if a malicious user can upload a file via MIME, and again a lot of the CF vulnerabilities I've seen have actually been CKEditor vulnerabilities. But taking a look at the Adobe security bulletin, it tells me there are four CVE numbers for arbitrary code execution due to deserialization of untrusted data, and that could come from any incoming request I suspect. That's always a bad thing. There are also CVE numbers for arbitrary code execution via unrestricted file upload (like I described with CKEditor but I suppose it could be something else) and arbitrary file overwrite via "use of a component with a known vulnerability". Those are all critical vulnerabilities, but there are a couple more important and moderate vulnerabilities there as well.

Each of these has a CVE number, and you can look them up in the CVE database:

CVE -Common Vulnerabilities and Exposures (CVE)

From there, there are typically links to other sites to tell you more about the specific vulnerability in question. That said, they don't usually give you a sample exploit or anything like that, they just describe the problem in more detail sometimes.

It looks like a lot of them may require an update to the JVM, so perhaps some of the vulnerabilities are themselves in the older JVMs.

Finally, in a properly configured environment, you may find that these vulnerabilities don't affect you. The best way to get to that properly configured environment generally is to follow the lockdown guides from Adobe. The auto-lockdown feature in CF 2018 has had some problems, so you might not want to go that way, but you'll find that most of the lockdown information in the previous guide for CF 2016 is still useful.

Dave Watts, Eidolon LLC

Thanks for all the info, Dave.  I'm checking the link as soon as I'm done with this reply.

Working for USG DoD, not only do we follow the lockdown guide, we take it further.  Stripping out HTML is just one step.  We do not have any forms that allow file upload on public-facing pages, period.  And there are other things I'm not allowed to discuss.

Anyhoo.. I'm off to check that CVE database.  Thank you, again, for that link.

V/r,

^ _ ^

UPDATE:  Also, we do NOT use CKEditor or any other RTF enabled form fields.

One thing I'd recommend is to use a reverse proxy environment. I recommend this all the time but no one listens. This doesn't make things completely secure - that is impossible - but it significantly improves security at a fairly minimal cost of complexity and effort.

Dave Watts, Eidolon LLC

I cannot say with authority as to what specific vulnerability, but the tech who mentioned it to me, yesterday, did mention something about deserialization, so the link you provided could be it.  Thank you for the link.  I'll cross-reference those CVE numbers to the database link that Dave provided and get the details on them.

Thanks for the link.

V/r,

^ _ ^

Well.. how do you like that?    The CVE database hasn't been updated, yet.  Those numbers still show as RESERVED.

SMH

V/r,

^ _ ^