Bird_banner_small4
Adobe ColdFusion DataServicesCFProxy Insecure Deserialization
TSL ID TSL20171019-05
CVE ID(s) CVE-2017-11283
Severity Critical
Description

An insecure deserialization vulnerability has been reported in the Flex integration service of Adobe ColdFusion. The vulnerability is due to the lack of input validation on the RMI method parameters of the DataServicesCFProxy class.

A remote, unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted serialized parameter to the target application via a RMI call. Successful exploitation could result in arbitrary code execution in the context of SYSTEM.

The vendor, Adobe, has released an advisory regarding these vulnerabilities:

https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html

Affected Products
  • Adobe Systems ColdFusion 11 prior to update 13
  • Adobe Systems ColdFusion 2016 release prior to update 5
CVSS Score Base 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is COMPLETE
  • Impact of this vulnerability on data integrity is COMPLETE
  • Impact of this vulnerability on data availability is COMPLETE
Temporal 7.4 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
References https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html
https://nickbloor.co.uk/2017/10/13/adobe-coldfusion-deserialization-rce-cve-2017-11283-cve-2017-11238/
Related Threats