hello all... from this scary article, it shows how insecure adobe products can be in places - now finally some details on last years wddx exploit... https://www.hoyahaxa.com/2023/11/critical-variable-mass-assignment.html as a hoster, we run many coldfusion servers, also with older versions. and as many customers upload their own webpages, we can't just update those webservers to the latest major version due to code incompatibilities. i know it is not ideal, but we can't code review hundreds of websites all the time (like every two or four years in adobe's short lifespan cycle) or just break the customer's webpages and let them worry about it. anyway, preferring not to get into this discussion, i just would like to ask the simple question: is there a way to fix this on cf2016 and cf2018 as well in some way? or some other smart method to prevent this attack vector? ideally it is something on server level - again because we are talking about hundreds of websites

Do you, as a hoster, control HTTP requests coming into your infrastructure? If so, you could disallow any requests that contain

argumentcollection

in the URL or POST parameters/body. Until that CVE appeared, I didn't even know you could do remote calls that way -- and I suspect it is not widely known/used.

Assuming you have a WAF installed, you could place any call to a CFC with the argumentCollection in the URL/FORM scope (or just do it for any request, as that should be safe). Yes, that could break some users code, but safety comes first.

One of those recs is to just turn off all remote CFC access which is likely to break more code that disallowing

argumentcollection

in requests...

URL & FORM come to mind.

Oh, ouch! Yes, I totally missed that those two were missing. LOCAL is on the list of scopes the patch says it checks for.

@lukasfrei Thanks for posting. This is my article and a vuln that I reported to Adobe. (And as an aside, I'll say that every application platform is going to have vulnerabilities, and Adobe has been responsive, easy to work work, and definitely takes security seriously.) And this vuln is probably different than the "last years wddx exploits" you refer to. In terms of widespread impact, these two are worse -- https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis and https://blog.projectdiscovery.io/adobe-coldfusion-rce/. Based on those and other vulns, I feel pretty confident in saying it's very hard to adequately secure an older, not-latest CF instance. Those two vulns rely on remote access to any .cfc file, so if you're not blocking web access to all .cfc files, being “unexplainable” is very difficult. Plus there were a few other critical vulns patched in Adobe's latest updates. As for the mass assignment vulnerability specifically - that only applies to code directly within remote cfc methods. The Adobe patch only addresses it for the built-in CF scopes, so if your remote cfc method does something like

if user.role eq 'admin' ...

that custom “user” scope is something that could be overwritten on a vulnerable system. It’s definitely a case where code review is going to be required. It’s also a bug class that may be hard for an attacker to exploit without access to source code.