Adobe Patches Critical Deserialization Vulnerability, but Exploits Persist

The vulnerability was being exploited in the wild, targeting two versions of Adobe ColdFusion.

Dark Reading Staff, Dark Reading

August 22, 2023

1 Min Read
a concept image of a lock with the outside covered in green code and the inside of the keyhole covered in red code.
Source: Elena11 via Shutterstock

CISA has added a vulnerability — cataloged as CVE-2023-26359 — to the Known Exploited Vulnerabilities Catalog with a CVSS score of 9.8 due to active exploitation.

The vulnerability is a deserialization flaw affecting Adobe ColdFusion 2018 (Update 15 and earlier) and Adobe ColdFusion 2021 (Update 5 and earlier) and has the potential to result in arbitrary code execution.

Serialization turns an object into a data format that can eventually be restored later, like with JSON and XML and their serialized data. Deserialization is the reverse of this process where data structured in some format is rebuilt into an object. When deserialization occurs without validating a trusted source, it can lead to denial of service or code execution.

These vulnerabilities, which are considered critical and important, and could lead to memory leaks, were patched in March. It is unclear how the flaw is being exploited in the wild, but Adobe states that this is only occurring "in very limited attacks."

Because of this active exploitation, Federal Civilian Executive Branch (FCEB) agencies have a Sept. 11 deadline to apply these patches and protect against potential threats. 

Adobe recommends that customers apply the security configuration settings "as outlined on the ColdFusion Security page as well as review the respective Lockdown guides." It also recommends "updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11." This is because applying the ColdFusion update without a corresponding JDK update will not allow for a secure server.

Adobe credits Patrick Vares for reporting the issues related to vulnerability CVE-2023-26359.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights