Adobe Patches Critical Deserialization Vulnerability, but Exploits Persist

  /     /     /  
Publicated : 23/11/2024   Category : security


Adobe Patches Critical Deserialization Vulnerability, but Exploits Persist


The vulnerability was being exploited in the wild, targeting two versions of Adobe ColdFusion.



CISA has added a vulnerability — cataloged as 
CVE-2023-26359
 — to the Known Exploited Vulnerabilities Catalog with a CVSS score of 9.8 due to active exploitation.
The vulnerability is a deserialization flaw affecting Adobe ColdFusion 2018 (Update 15 and earlier) and Adobe ColdFusion 2021 (Update 5 and earlier) and has the potential to result in arbitrary code execution.
Serialization turns an object into a data format that can eventually be restored later, like with JSON and XML and their serialized data. Deserialization is the reverse of this process where data structured in some format is rebuilt into an object. When deserialization occurs without validating a trusted source, it can lead to denial of service or code execution.
These vulnerabilities, which are considered critical and important, and could lead to memory leaks, were patched in March. It is unclear how the flaw is being exploited in the wild, but Adobe states that this is only occurring in very limited attacks.
Because of this active exploitation, Federal Civilian Executive Branch (FCEB) agencies have a Sept. 11 deadline to 
apply these patches
 and protect against potential threats. 
Adobe recommends that customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides. It also recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. This is because applying the ColdFusion update without a corresponding JDK update will not allow for a secure server.
Adobe credits Patrick Vares for 
reporting the issues
 related to vulnerability CVE-2023-26359.

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Adobe Patches Critical Deserialization Vulnerability, but Exploits Persist