Adobe Releases Security Updates for ColdFusion - 20231124002

Overview

Adobe has released security updates for ColdFusion versions 2023 and 2021. These updates resolve critical, important and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass.

What is the vulnerability?

• CVE-2023-44350 - Arbitrary code execution - CVSS v3 Base Score: 9.8
• CVE-2023-26347 - Security feature bypass - CVSS v3 Base Score: 7.5
• CVE-2023-44351 - Arbitrary code execution - CVSS v3 Base Score: 9.8

What is vulnerable?

The vulnerability affects the following products:

• ColdFusion 2023
  • Update 5 and earlier versions
• ColdFusion 2021
  • Update 11 and earlier versions

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month (refer Patch Management):

• Adobe Security Bulletin - APSB23-52

Additional References

• CISA Alert for ColdFusion