Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Experts assessed the breach as critical and recommended an urgent update of the vulnerable software.
The US Cybersecurity Agency (CISA) has added a vulnerability with the identifier CVE-2023-26359 to the catalog of known vulnerabilities used. Experts gave it a severity rating of 9.8 out of 10 on the CVSS scale due to active exploitation by hackers.
The vulnerability is a data deserialization bug in Adobe ColdFusion 2018 (up to Update 15 inclusive) and Adobe ColdFusion 2021 (up to Update 5 inclusive). It allows attackers to execute arbitrary code on vulnerable systems.
Serialization turns an object into a data format that can eventually be restored later, as is the case with JSON and XML and their serialized data. deserialization is the reverse of this process, in which data structured in a particular format is rearranged into an object.
When deserialization is performed without verifying the source's validity, it may result in denial of service or malicious code execution.
All critical vulnerabilities that could lead to memory leaks were fixed back in March. It is not yet clear exactly how they are used by hackers, but Adobe itself claims that this happens in very limited attack scenarios.
Due to active exploitation, US federal civilian agencies must install all necessary patches by September 11 to protect themselves from potential threats.
Adobe recommends applying the security settings described in the ColdFusion security guides, and updating the ColdFusion JDK/JRE to the latest LTS versions for JDK 11. Without a proper JDK update, installing a patch for ColdFusion will not ensure server security.
The US Cybersecurity Agency (CISA) has added a vulnerability with the identifier CVE-2023-26359 to the catalog of known vulnerabilities used. Experts gave it a severity rating of 9.8 out of 10 on the CVSS scale due to active exploitation by hackers.
The vulnerability is a data deserialization bug in Adobe ColdFusion 2018 (up to Update 15 inclusive) and Adobe ColdFusion 2021 (up to Update 5 inclusive). It allows attackers to execute arbitrary code on vulnerable systems.
Serialization turns an object into a data format that can eventually be restored later, as is the case with JSON and XML and their serialized data. deserialization is the reverse of this process, in which data structured in a particular format is rearranged into an object.
When deserialization is performed without verifying the source's validity, it may result in denial of service or malicious code execution.
All critical vulnerabilities that could lead to memory leaks were fixed back in March. It is not yet clear exactly how they are used by hackers, but Adobe itself claims that this happens in very limited attack scenarios.
Due to active exploitation, US federal civilian agencies must install all necessary patches by September 11 to protect themselves from potential threats.
Adobe recommends applying the security settings described in the ColdFusion security guides, and updating the ColdFusion JDK/JRE to the latest LTS versions for JDK 11. Without a proper JDK update, installing a patch for ColdFusion will not ensure server security.
