Security Alert: Critical Flaws in Adobe ColdFusion and Oracle’s PLM Software
Adobe ColdFusion Deserialization Issues
In a 2018 blog post, Code White researchers detailed vulnerabilities in Adobe ColdFusion (versions 11 and 12), focusing on deserialization issues within the Action Message Format (AMF) used by ColdFusion for data exchange. Before CVE-2017-3066, they had discovered that ColdFusion lacked class whitelisting, allowing attackers to exploit java.io.Externalizable for remote code execution.
Exploitation and Mitigation
CISA did not disclose specific details of exploitation for security reasons, warning all organizations to promptly patch vulnerable systems against potential threats.
Oracle Agile PLM Flaw Open to N-Days
Serialization Flaw in Oracle’s PLM Software
The other vulnerability, fixed in January 2024, is a high-severity (CVSS 8.8/10) flaw in the export component of the Oracle’s PLM software, and stems from the improper handling of serialized data. It’s tracked as CVE-2024-20953. Successful exploitation could enable a low-privileged attacker with network access via HTTP to execute arbitrary codes, potentially allowing full system takeover.
Impact and Mitigation
Organizations using Oracle’s PLM software are advised to patch the vulnerability as soon as possible to prevent potential exploitation. It is crucial to ensure that all systems are fully updated with the latest security patches to avoid any potential risks.
Conclusion
The vulnerabilities in Adobe ColdFusion and Oracle’s PLM software highlight the importance of regular security updates and patching. It is essential for organizations to prioritize security and take proactive measures to protect their systems from potential threats. By staying informed and taking prompt action, organizations can minimize the risks associated with these vulnerabilities and ensure the security of their systems.
FAQs
Q: What is Adobe ColdFusion?
A: Adobe ColdFusion is a web application server software that enables developers to build dynamic websites and web applications.
Q: What is the CVSS score for the Adobe ColdFusion vulnerability?
A: The CVSS score for the Adobe ColdFusion vulnerability is not publicly disclosed for security reasons.
Q: What is the CVSS score for the Oracle PLM software vulnerability?
A: The CVSS score for the Oracle PLM software vulnerability is 8.8/10, indicating a high severity rating.
Q: How can organizations protect themselves from these vulnerabilities?
A: Organizations can protect themselves by ensuring that all systems are fully updated with the latest security patches, implementing robust security measures, and conducting regular security audits and risk assessments.
Q: How can I report a security vulnerability to Adobe or Oracle?
A: Adobe and Oracle have established procedures for reporting security vulnerabilities. You can find more information on their respective websites.
