Adobe Patches Critical Deserialization Vulnerability, but Exploits Persist

CISA has added a vulnerability — cataloged as CVE-2023-26359 — to the Known Exploited Vulnerabilities Catalog with a CVSS score of 9.8 due to active exploitation.

The vulnerability is a deserialization flaw affecting Adobe ColdFusion 2018 (Update 15 and earlier) and Adobe ColdFusion 2021 (Update 5 and earlier) and has the potential to result in arbitrary code execution.

Serialization turns an object into a data format that can eventually be restored later, like with JSON and XML and their serialized data. Deserialization is the reverse of this process where data structured in some format is rebuilt into an object. When deserialization occurs without validating a trusted source, it can lead to denial of service or code execution.

These vulnerabilities, which are considered critical and important, and could lead to memory leaks, were patched in March. It is unclear how the flaw is being exploited in the wild, but Adobe states that this is only occurring "in very limited attacks."

Because of this active exploitation, Federal Civilian Executive Branch (FCEB) agencies have a Sept. 11 deadline to apply these patches and protect against potential threats. 

Adobe recommends that customers apply the security configuration settings "as outlined on the ColdFusion Security page as well as review the respective Lockdown guides." It also recommends "updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11." This is because applying the ColdFusion update without a corresponding JDK update will not allow for a secure server.

Adobe credits Patrick Vares for reporting the issues related to vulnerability CVE-2023-26359.