This message was deleted.

This update addresses a zero-day exploit recently posted live that concerns the following CWEs: 284, 502, 307.

No corresponding update for CF 2018?

It is for CF2018, CF2021 & CF2023

Glorious.

Here is the link for 2018 https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-updates.html

My boss just asked me this:

do you know if php has this many [security updates]? or python?

Anyone?

Way more. Monthly. These issues also affect PHP, by the way. As well as JavaScript, etc. Java. They are not CF specific.

@Mark Takata (Adobe) FYI - the "APSB23-41" link is broken on this page https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-updates.html goes to a 404

yeah, I think it is the correct url, the page was just not published yet

Thanks for sending that alert email @foundeo :D

@Mark Takata (Adobe) "following CWEs: 284, 502, 307." weren't those the same in the earlier update? I'm confused.

someone is working on the link, yes.

Are there new CVEs? I don't see any listed. Is this like a 'everything is on fire on Friday at 4pm' update or can this wait til Monday?

Here's the link for 2023. Either I'm blind or that wasn't posted. https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-2.html

Sorry, we're kind of trying to build a house on the back of a moving semi-truck right now. This is a critical update that just got released and we are hoping awareness of the issue and release of the update > perfect messaging. We'll the pages updated and all that, the important thing is to apply the patch

But it's difficult to tell security folks to 'just apply it - it will be ok' LOL

Every environment is different. You need to balance your own situation against the severity of the issue. As I said, we're working on improving items here, but there's a lot of movement behind the scenes.

Thanks for getting updates out quickly when they matter. I'd take an update every day if it meant our customers were not compromised by holding back. Just might ask for a better process ;)

Thanks Chris, we're aligned on that. 🙂

Yeah - it's unfortunate timing (late on a Friday) and lack of information - I don't think I've even gotten the usual update email from Adobe yet... going to be a fun weekend and Monday for a lot of folks I guess.

Thanks for the clearer Java update notice this time. 👍🏻

APSB page is loading now: https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html

For a LOT of people Jim. THANK YOU PETE!! ❤️ ❤️

Wait... there's Adobe update emails? How do I get on that?

New CVE but no details yet https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38203

the CVE database takes a while before it gets updated sometimes, wouldn’t be surprised if it doesn’t make it in there until Monday

The original blog post is down now, but CVE-2023-38203 is another deserialization vulnerability. The PoC exploit looks similar to the ones for CVE-2023-26360, from APSB23-25 in March, except this one passes a malicious serialized object in a WDDX packet vs in a JSON object. I have no inside knowledge, but it looks like in the course of investigating CVE-2023-29300, they though they had reproduced the bug, blogged about it, but it turned out to me an entirely new vulnerability.

yeah — that’s exactly what I think happened too Brian - no inside info either, but I think they thought their vulnerability was patched on Tuesday, and it wasn’t so they made the exploit public (my 2 cents)

The blog was presented as a reproduction of CVE-2023-29300 and it sounded like they were testing against CF2021 U6. (I assumed they took the blog offline when they became aware it was an unpatched vuln)

There is confusing language again around the JDK updates: "Applying the ColdFusion update without a corresponding JDK update will NOT secure the server. See the relevant Tech Notes for more details." So is there a "corresponding JDK update" associated with this update? Or should this say "the latest JDK update" ie for Java 11 - 11.0.19??

Slack is not allowing me to edit. 😞