CISA is warning Adobe and Oracle customers about in-the-wild exploitation of critical vulnerabilities affecting the services of these leading enterprise software providers.
The US cybersecurity watchdog added vulnerabilities in Adobe ColdFusion (CVE-2017-3066) and Oracle Agile Product Lifecycle Management (PLM) (CVE-2024-20953) to its known exploited vulnerabilities (KEV) catalog on Monday.
“These type of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in the advisory.
Deserialization demons still haunt Adobe web development
The Adobe ColdFusion flaw flagged by CISA is an old Java deserialization bug in the Apache BlazeDS library, which received a critical severity rating of CVSS 9.8 out of 10 because it enables arbitrary code execution.
Adobe disclosed CVE-2017-3066 in April 2017 along with hotfixes for all the affected versions, including Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier.
“These hotfixes include an updated version of the Apache BlazeDS library to mitigate the Java deserialization vulnerability,” Adobe said in an advisory at the time.
In a 2018 blog post, Code White researchers detailed vulnerabilities in Adobe ColdFusion (versions 11 and 12), focusing on deserialization issues within the Action Message Format (AMF) used by ColdFusion for data exchange. Before CVE-2017-3066, they had discovered, ColdFusion lacked class whitelisting, allowing attackers to exploit java.io.Externalizable for remote code execution.
CISA did not disclose specific details of exploitation for security reasons, waring all organizations to promptly patch vulnerable systems against potential threats.
Oracle Agile PLM flaw open to N-days
The other vulnerability, fixed in January 2024, is a high severity (CVSS 8.8/10) flaw in the export component of the Oracle’s PLM software, and stems from the improper handling of serialized data. It’s tracked as CVE-2024-20953. Successful exploitation could enable a low-privileged attacker with network access via HTTP to execute arbitrary codes, potentially allowing full system takeover.
The flaw affects Oracle Agile PLM version 9.3.6 and received a fix from Oracle in a January 2024 critical patch update. Although immediate patching was strongly recommended for complete protection, a workaround was also available for quicker relief.
“Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack,” Oracle said in an advisory. “For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack.”
CISA’s update highlights the importance of promptly patching critical deserialization vulnerabilities that can enable complete system takeover.
In another example of offering obvious advice that is nevertheless not always followed, the federal agency recently described buffer overflow flaws in code as “unforgivable” for their criticality and the fact that most of them can be avoided through the straightforward practice of shifting to memory safe languages.
Federal Civilian Executive Branch (FCEB) networks, the non-military federal government networks managed by civilian agencies in the US, have been urged to promptly patch the latest vulnerabilities as per the BOD 22-01 directive.