When the server receives the crafted packet, it could cause a heap-based buffer overflow, due to incorrect validation of user-supplied data. An attacker can leverage this vulnerability to execute arbitrary code on the targeted system. In most cases, an attacker requires user-to-user contact to exploit this issue.
Adobe recommends users apply the ColdFusion update as soon as possible. In addition to ColdFusion, Adobe recommends users apply updates for other components as well. End users can also follow best practices to prevent this issue from being exploited in the first place, such as: Restricting network access to trusted individuals only.
Using a network monitoring solution to track traffic entering the network.
Ensuring users follow multifactor authentication to prevent unapproved login attempts. Adobe recommends users immediately apply the ColdFusion update. Update 14 (and earlier) and Update 4 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, the vulnerability is triggered when a crafted network packet is sent to the server.
Adobe ColdFusion Software Update Information
The update resolves a Heap-based Buffer Overflow vulnerability in ColdFusion software.
ColdFusion software running on Microsoft Windows systems is not affected by this update.
Vulnerability overview
If a malicious or unauthorized user sends a crafted network packet to the server, it could cause a heap-based buffer overflow, due to incorrect validation of user-supplied data. An attacker can leverage this vulnerability to execute arbitrary code on the targeted system. In most cases, an attacker requires user-to-user contact to exploit this issue.
Adobe ColdFusion Server (CF-Server) Update
Adobe released an update to the ColdFusion Server (CF-Server) and recommend that users apply the update as soon as possible. In addition to the ColdFusion Server, Adobe recommends users apply updates for other components as well. End users can also follow best practices to prevent this issue from being exploited in the first place, such as: Restricting network access to trusted individuals only.
Adobe ColdFusion 11.5.1
Update Exploitation
There's been a lot of discussion about the new Adobe ColdFusion 11.5.1 update, but it seems to have a bigger impact than was originally thought. Adobe released a security advisory concerning an Heap-based Buffer Overflow vulnerability in its ColdFusion web application server that could result in arbitrary code execution in the context of the current user. This issue is triggered when a crafted network packet is sent to the server and can be exploited without user interaction.
The company says this issue affects ColdFusion 11, 11.0.2, 11.0.3, 11.0.4, 11.0.5 and 11.1 versions (CVE-2022-35711). In fact, any version of ColdFusion up to and including Version 14 are affected by this vulnerability (CVE-2022-35711), but Adobe has issued Security Advisory APSB14-06 with more specific details on how this issue can be exploited on those products as well as what users need to do to protect their systems from exploitation by applying updates for other components as well (APSB14-06).
Adobe ColdFusion Common Vulnerabilities and Exposures (CVE)
Adobe ColdFusion is a powerful application server that enables developers to build dynamic websites, web applications, and mobile applications.
Timeline
Published on: 10/14/2022 20:15:00 UTC
Last modified on: 10/14/2022 20:31:00 UTC