Announcing ColdFusion emergency update released March 14 2023: what to do about it
If you've not heard, a new update has been released (March 14, 2023) for ColdFusion 2021 and 2018. Despite what you may hear, this is an URGENT (rated "Priority 1" by Adobe) update that everyone should apply ASAP, for reasons I will explain in this post. In fact, Hackernews reported yesterday (Mar 16) that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had issued an urgent warning about this, giving federal agencies a deadline to apply the update.
TLDR; For some folks, the above may be all you need to hear: you may be dropping your coffee and donuts now to get the update applied. Still others will see this "huge post" and think, "crap, I don't have time for this". For you, skip to the bottom and its "concluding key points". You can then decide what you think you do or don't "need to know" and pick and choose from the sections as you like.
Finally, for those who prefer because of the importance of all this to be led more carefully through understanding things (in a way that's worked for the many people I have helped so far this week, and is far more than either Adobe or Hackernews has shared), please do read on.
I know ideally everyone would be on current versions of ColdFusion, but we work with multiple different clients that have different upgrade cycles , and some are waiting for 2023 to come out, so I am looking to support those as much as possible.
If it is not this code, and is someplace else in ColdFusion:
1) Does -Dcoldfusion.cfclient.enable=false work on CF 2016? I am guessing not, but just curious
2) Is there a way that if we are not using CFClient to just remove it from old servers?
Thank you.
Question...the CF Admin has an option "Enable mobile's server workflow" to turn on/off. If this is turned off, is the server still vunerable?
Matt, no, removing cf_scripts is NOT the solution to this problem and it would not help. And yes, I mean even if you or someone you know found evidence that that was used to perpetrate that "specifically crafted URL" I hinted at.
Let me be clear: it's NOT the files in that folder that ARE allowing the hack. So no, the bad guys could use other files. I will have to leave it at that.
Bottom line, it's the _cfclient querystring that is the key to the problem, not the files used in referring to it. I know I'm not giving enough detail for folks to figure things out: and that's the point.
As for the jvm arg, no. As I note in the post, that is NOT something you can "just do" in CF2016. It will mean NOTHING to CF 2016 or 11, or to CF2021 or 2018 before the update is applied. The jvm arg is for someone who APPLIES this update and yet DOES want to be able to use cfclient.
Finally, as for you asking how to remove it from old servers, I'm not aware of any way to. Again, this problem is inherent in how CF itself processed that _cfclient querystring, not some page that was called.
So someone on CF2016 (or 11) should use the other approach I offered, of simply blocking that _cfclient query string. I made that clear. I think you're trying to consider some potential corner cases or alternatives that I might have missed. I get it.
But please let me know if you now feel that you have all the info you need to proceed safely.
That said, nothing about the alternatives I offer should require an alternative. It would seem this would lead to the same result. I'm about to enter another client call so can't test it now.
I can only say this: of all of the products listed as having updates that day, only AEM is "like" CF (in being a Java-based application server). And what it lists are not the same cve's.
I suspect instead this was Adobe's version of a "patch Tuesday", where they released at once many updates for many products.
If somehow time or insights shared here might show that there's indeed some connection among them all, that will be very interesting.
https://www.rapid7.c...
...but they don't connect it readily to this one. Even so, I am fairly confident that what they are finding is the RESULTING bad-guy file that I discussed in this post as the second aspect of the vuln (the "arbitrary code execution", or their ability to cause placement of a bad-guy file on your server.)
Sadly, the Adobe technote and PSIRT/APSB bulletin as well as Mitre CVE's don't give enough detail to readily allow Rapid7 and others to connect the dots to this vuln and the update from last week. And they likely are unaware of my post here.
But I wanted to point this out in case others finding or following this post may "wonder" if that is some "new hack". I really don't think so. Once those folks dig further they should find that the root cause was this _cfclient querystring and the rest of the "specifically crafted url" (which I can't share, as it would allow perpetration of the hack).
Bottom line: get your CF2021 and 2018 updated to the March updates (6 and 16, respectively), or get the block of the _cfclient querystring var in place, all as discussed above.
This addresses CVE-2023-26360 but not CVE-2023-26359, correct?
I suspect you're asking because in the apsb, my name is associated only with the one CVE. You're likely wondering if perhaps my post only covers SOME of the vulns identified in the apsb.
Again, bottom line: folks should apply the update (which clearly prevents the very serious hack as I'd reported to them days before), or implement at least the block I'd offered--whatever is the cve/s that it relates to. I'm afraid Adobe just didn't offer more to help on your question.
I notice Adobe rate this cve as CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), the Integrity and Availability Impact are None.If this vulnerability can lead to arbitrary code execution, i think the Integrity and Availability Impact should be High.So I wonder if the official patch actually fixes this vulnerability(CVE-2023-26360)
Look forward to your reply, thank you again.
The thing to defend against is the _cfclient in the query string, as discussed (to death) in the post. Here again, the mere presence of that string is not THE HACK, but it's the WAY it's used: just like how a gun in a robbery alone will not kill or wound anyone, but can be USED to do so.
Since these questions remain for you, I think you'd find value in reading the post again, from the top. It was a LOT to take in. I'd hope on second reading any questions would be more completely answered.
Some will benefit from their effort, sure, but of course some will also use it to effect perpetration.
I was careful NOT to show the "how", but we can't control what others may say and do. Anyway, thanks for the heads up.
We've added the Request Filtering in IIS to deny the _cfclient query string on all of our servers and applied the patch to most of them. We are running Java 11.0.11 in most cases but the Security Bulleting mentions:
Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server. See the relevant Tech Notes for more details.
To your knowledge, is it a requirement to update Java to 11.0.18 to be fully patched?
Thanks in advance.
It's simply there in every CF update--because SOMETIMES an update they do MAY presume to leverage also some aspect of a latest JVM version. But note they are not specific about that (ever), and I am not aware of this fix having anything to do with Java.
That said, given that CF runs on Java it is indeed always wise to run on the latest update of the JVM version which your CF version supports (for the sake of its own security and bug fixes). And for CF2021 and 2018, that is currently (only) Java 11: and the latest 11 is 11.0.18 which came out in January. (11.0.19 will come out next week, FWIW.)
Before you may update the JVM, note that I did a blog post on that 11.0.18 update where I mentioned 3 related issues: one for people moving to 11.0.17 or above, one for people moving to 11.0.11 or above (but you're already there), and one for anyone running the JDK installer for 11.0.18 or above. See that post here:
https://www.carehart...
I would plan to do another post when the next JVM updates come out next week.