[Looking for Charlie's main web site?]

Announcing CF update released Jul 14 2023: a second priority 1 security update in one week

Just days after a P1 security update released on Jul 11, Adobe has released yet another on Jul 14 (CF2023 update 2, CF2021 update 8, and CF2018 update 18). (I don't recall such a short gap between updates before, so yes: it's unusual.)

For more on the update, and some additional thoughts, read on.

Update: Just 5 days after this update, there was yet another P1 CF security update. I discuss that in this subsequent post, but you may still want to read this one for what I'd shared at the time of that post.

As with the last update (which I blogged about here), you can find the links to the specific updates (CF2023 update 2, CF2021 update 8, and CF2018 update 18) offered in the security bulletin., as well as in their blog post the same day about the update. (BTW, yes, for the first few hours after the release of the update, the security bulletin was getting a 404. One reason I held off posting this until that evening was to see and be able to assess that.)

Like the last one, this one also "resolves a critical vulnerability that could lead to arbitrary code execution." There no further detail that I know of.

And like the last one (the ones for CF2021 and 2023, specifically), those doing a manual offline install will notice that Adobe is offering only the jar, not the zip (holding a complete repo for use by the CFPM tool). FWIW, the CF2021 update 8 technote indicates this saying (rather confusingly) that "you need not download the bundle's folder,". And though the CF2023 update 2 technote doesn't make the same clarification, it seems clear the same point applies.

Something of interest to some readers is that this newer APSB security bulletin does at least change its wording about the need of a Java update to NOT refer to Java 17 (as in the previous bulletin, and discussed in my previous post). It now reads, "Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release".

I would recommend you read my post from earlier this week, as there are details I offered there which I do not repeat here.

Finally, as for CF2018, while the previous update this week was to be its LAST update (as its end-of-life date was in fact yesterday), it seems THIS update is now due to be its last.

Again, I'm afraid there's no further information I can offer than what's offered in Adobe's resources on this update. I'm just posting this for the sake of readers of my blog. (Some people may not log into the admin or setup any of various ways to be otherwise notified when an update is released.) But like the last one, if I learn anything interesting, I will update this post.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Rapid7 indicates that the recent CF updates were for a zero day. Their site also includes information about how the issues was exploited which will be useful when you review your logs to see if you were successfully attacked. Here is a link to their blog post https://www.rapid7.c...
# Posted By Vincent Krist | 7/18/23 11:08 AM
Vincent, yep, I was aware of that article (learned of it earlier today). Thanks for sharing the link for folks.

I will note that while that post indicates that "There is currently no mitigation", that may not be the final/complete answer. Note how it refers to the _cfclient querystring, and notice that in my first post last week (on the Jul 11 CF update), I did point out how my March blog post on the previous CF update discussed ways to BLOCK ALL REQUESTS using that _cfclient querystring. I also elaborate there on what it's about, how one can determine if they may have any legit use of it (most do not), and much more. See https://www.carehart...

As I've said elsewhere, it's just not clear how many of the recently closed vulns DO work based on the _cfclient querystring. That post is about all we have to go on, as I've not seen any others. While those on cf2018 and above can apply these fixes to address what Adobe has found, it's just not clear (for now) what those on cf2016 can or should do, other than block requests with that querystring.
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting