Yes, this is shocking. Yes, unless there's a good explanation, I can understand how many would feel "someone on the CF team should be flogged". Don't shoot me: I'm just the messenger. I don't work for Adobe.
But I will add that in this post, besides just sharing news about the update (and more than JUST pointing to the update), I also offer an ADDITIONAL "fix" some will want to consider, to go BEYOND what this update addresses. See the discussion on "blocking the _cfclient query string".
Read on for more, where I cover:
- Finding more info on this update
- A suggestion on blocking the _cfclient query string
- News for those doing manual offline installs: this update DOES have a zip
- As for doing a Java update along with this update
- CF2018 WAS indeed also updated
Finding more info on this update
As with the last two update (which I blogged about first on Tuesday and then on Friday), you can find the links to the specific updates (CF2023 update 3, CF2021 update 9, and CF2018 update 19) offered in the security bulletin, APSB23-47, as well as in a forum post from Adobe.
Of course, you can also see the update in your CF Admin, if it's set to "check for updates" or you click the button there for that.
Like the last two, this one also solves " critical? and moderate vulnerabilities?that could lead to?arbitrary code execution and security feature bypass.". And the bulletin adds that "Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.." There no further detail that I know of.
Though I will add that there have been various articles in security press about these recent CF vulnerabilities. One is this, from Rapid7, from the 17th (two days ago, so befoer the update today): Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities. It was updated today to indicate that, "Adobe released a fix for the patch bypass of CVE-2023-29298 on July 19 and assigned it CVE-2023-38205. Rapid7 has confirmed the new patch works.".
A suggestion on blocking the _cfclient query string
Before leaving it at that, though (regarding "the vulnerability being fixed", one thing to note in that Rapid7 article is that they show the exploit being perpetrated using the same _cfclient querystring that had been at the root of the March 2023 CF Security update (update 6 for CF2021 and update 16 for CF2018--cf2023 had not come out yet, but does incorporate that update.)
Anyway, in my own blog post elaborating on that March vuln (and update), I noted how this _cfclient querystring arg is NOT something that most CF shops need to support.
To be clear, that has NOTHING TO DO WITH CF CLIENT VARIABLES. Instead, this use of a _cfclient querystring value was something added in support of (and intended to be used only by) the CF Mobile functionality (like the tag, cfclient) added in CF11. Virtually no one ever implemented that or is still using it. As such, there is for most people NO LEGITIMATE reason to let CF even PROCESS A REQUEST that includes that _cfclient querystring. (There is much more that can be added on that querystring, or sent with a POST, which is where the vulns are happening.)
Could CF just block it? Yes, they could but they do not. Perhaps soon they will consider that. Until then, could you? Should you? I would argue that yes, if you don't want to leave it to waiting for Adobe to find and fix each little vuln that is perpetrated using this as its starting point, you should just block it. (If you may have legit uses of the cfmobile feature, then no, you cannot just block it.)
In my post from March, I discussed this in more detail, in a section of the post I labelled"How to protect yourself if you need time to get the update deployed, or are on CF2016 or 11?". And there I discuss both how to search your web server logs for any uses of that querystring (such as to determine if it's used regularly by your app, or only in attempts to break in), as well as how to block use of that querystring in the common web servers CF supports, IIS and Apache.
I can help directly with this, of course.
News for those doing manual offline installs: this update DOES have a zip
For those doing a manual offline install, those will want to hear that UNLIKE the last two (the ones for CF2021 and 2023, specifically), Adobe is offering in this update the zip (holding a complete repo for use by the update mechanism and/or CFPM tool), where the previous two updates only offered the jar.
Some people were encountering challenges doing the past two updates when they were running their CF on a machine that had no internet connection. Things SHOULD go more smoothly with this update. See the update technotes for info on handling such a manual offline update, for all 3 CF versions (but again this zip approach applies only to CF2021 and CF2023, not CF2018.)
As for doing a Java update along with this update
Two points to be made here, one new since the last two updates...
First, of interest to some readers: note that this newer APSB security bulletin (like the last one) does change its wording (compared to the first one last week) about the need of a Java update. It (correctly) no LONGER suggests Java 17 (which as I discussed in my first post was INAPPROPRIATE for those on CF2021 or 2018). It now reads, "Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release.". It then goes on to say "Check the ColdFusion support matrix below for your supported JDK version", and offers links to those.
I discuss more about this matter in my post on the first update last week,
Second, note also that since then a new JVM update has come out, July 18, and I posted on that last night. In there, I also clarify what JVM versions are supported by what CF versions. (And yes, crazy that we have to deal with a Java update as well. At least those are scheduled and quarterly.)
CF2018 WAS indeed also updated
Finally, as for CF2018, while the first update last week was to be its LAST update (as its end-of-life date was in fact July 13), Adobe did kindly offer a CF2018 update for both the update on Friday the 14th as well as today, the 19th. Unless there are still more in coming days, we really should expect THIS update to now due to be the last for CF2018 (and folks should be getting OFF of CF2018. It's not new information. That last blog post I shared was from January., and Adobe publishes the end of life date, at a page offered as a link in that post.
Conclusion and other thoughts
Again, if you are finding this update (and my post) and you had NOT yet read the post I did on Tuesday the 11th, I recommend you do. It will give you some useful context. Same with the shorter post on Friday the 14th. Check out also the comments there, though I do try to keep the posts updated with any critical info.
As with those first two, I'm afraid there's no further information I can offer than what's offered in Adobe's resources on this update. I'm just posting this for the sake of readers of my blog. (Some people may not log into the admin or setup any of various ways to be otherwise notified when an update is released. I am planning to do a post on helping you with other options there, if I could come up for air!))
But like the last ones, if I learn anything interesting, I will update this post (or add comments). And as always, if you would like help preparing for, implementing, or dealing with problems after performing these updates, I am available for online remote consulting. More on my rates, approach, satisfaction guarantee, online calendar, and more at carehart.org/consulting.
For more content like this from Charlie Arehart:
Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed