I’m giving @carehart a quick shout-out for his most recent blog post about the most recent ColdFusion updates and the additional information about what that update addresses and steps needing to be taken. Thank you, Charlie. https://www.carehart.org/blog/2023/3/17/coldfusion_march_2023_emergency_update

Excellent work Charlie. Gotta wonder why it's not been mentioned a bit more firmly by someone from Adobe here. Or... maybe on their ColdFusion blog (last post Aug 2022). https://coldfusion.adobe.com/blogs/

I'm thinking sending him something from the Sharper Image catalog would be appropriate.

Thanks so much for the kind regards, everyone. And that's indeed its own (sufficient) reward. Those who know me know "I just want to help". And those who stick it out to read the post will see that I was especially torn in this one about what and what not to include. So positive feedback is very much appreciated--though I realize it won't be everyone's cup of tea. Definitely open to feedback, whether there, here, or as dm.

ah yeah I just searched "ColdFusion blog" and that was the first match. And... I can't find a way to get to the "home page" of that blog. PS: "love" how they use the word "blog" to refer to individual articles, rather than the entire thing. And I don't really mean "love".

The home page would be that url you shared above. Again it's got a "recent blogs" section, though I'm not a fan of it being "down the page" from other sections. Horses for courses, I realize. As for your last point, I don't quite get your meaning (be gentle...ive only had a few hours sleep!)

@carehart Let me check and find out the root cause.

@carehart I cannot find a way to get to https://coldfusion.adobe.com/2023/03/released-coldfusion-2021-and-2018-march-2023-security-updates/ from https://coldfusion.adobe.com/. A blog is such an easy and ubiquitous concept. How have Adobe managed to screw-up something this fundamental? As to my second point, "blog" is a collective noun. You have a blog, I have a blog, the Adobe CF team has a blog. A blog comprises multiple blog articles / posts / documents / whatever you want to call it. So the word "blogs" is a term for more than one collection of articles. eg: "the blogs I follow are Charlie's, Ben's and Adam's" (three blogs, hence plural). Adobe on the other hand refer to each article on the blog as "blogs" Which sounds... daft. It's the sort of thing someone who knows nothing about blogs or technology at all might say. Hrm. Is is a big issue? No, not at all. Does it make them seem just a little bit more like a bunch of cowboys who don't know what they're doing? Yes. Yes it does.

A quick possible update on this. Security company Rapid7 has a blog post from today regarding some observed recent ColdFusion exploitation details and Indicators of Compromise (e.g., observed files, observed domains). It's definitely worth checking your systems and logs for these IOCs. At this time, they have not tied the activity to any specific CVEs -- https://www.rapid7.com/blog/post/2023/03/21/etr-rapid7-observed-exploitation-of-adobe-coldfusion/

Those are the RESULT of the hack that the recent update addresses, and which my blog post discusses: indeed it's the second aspect of the hack, where I said that files could be created that included a CFML shell that could do all kinds of untoward things, now web-accessible. They are showing their observation of the file HAVING BEEN created, and how the cfexecute led to it. But I am willing to bet that those who found such files placed there were not yet updated---and if they DID update then they would no longer be able to have those readily executed via the "specifically crafted URL" I mentioned in my post. I didn't (in my post) elaborate on those details, because that's kind of the tail wagging the dog. The vuln that ALLOWED it to happen was the first priority, the Adobe update was the second. The block I offered (for those not on CF2021 or 2018) was the third. And then the fourth was (as I said) that if the bad guys DID get the file on the server, that file could do all sort of nasty things. Of course, they WOULD want to deal with such files. I didn't elaborate on where one may find it, but I did discuss it a bit, saying for example that the cfusion/wwwroot was a common place they'd put them. But they could put them anywhere (that CF could write to), so I didn't want to give a false sense of security to look there. I did recommend people do a compare of their code to any good working version (git, local copy), and I recommended they could look for files updated since the day they may find the other "evidences" I shared. But yeah, it's all nasty. Get that update in place, folks. Or the blocks of the _cfclient query string var I discuss in the post.

Thanks for sharing that and for the additional follow-up, @Brian Reilly and @carehart. Definitely helpful to have information like this available for post-patching review.

Thanks for the confirmation @carehart. That blog post mentioned the activity going back to Jan 2023

What's unfortunate is that the Adobe update technote and PSIRT security bulletin, and even the CVEs, don't give enough detail for folks to really understand the ramifications of the hack. That's why I wrote the post--but at 14 pages (printed) I was already pressed to not say "much more" (or much less). And sadly those rapid7 folks probably never read my post to connect the dots, if they may have.

And thanks again for your blog post @carehart - it was excellent, detailed, and helpful

That all reads a bit disingenuously... as if they're the ones that discovered this.

I found a wow file with cmd.exe code in it on March 9th on a client server. @#$%@#. Wish I would have had this info sooner.

A detailed analysis of the vulnerability and the underlying vulnerable components has been published here - https://attackerkb.com/topics/1iRdvtUgtW/cve-2023-26359/rapid7-analysis?referrer=notificationEmail

It's certainly an interesting effort they've done. They're concluding attack effort is indeed something quite different from what the hackers I saw did, though what they shown is bad enoug). Some will benefit from their effort, sure, but of course some will also use it to effect perpetration. I was careful NOT to show the "how", but we can't control what others may say and do. Anyway, thanks for the heads up.