{"id":2084,"date":"2025-02-25T13:00:07","date_gmt":"2025-02-25T13:00:07","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2084"},"modified":"2025-02-25T13:00:07","modified_gmt":"2025-02-25T13:00:07","slug":"critical-deserialization-bugs-in-adobe-oracle-software-actively-exploited-warns-cisa","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2084","title":{"rendered":"Critical deserialization bugs in Adobe, Oracle software actively exploited, warns CISA"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CISA is warning Adobe and Oracle customers about in-the-wild exploitation of critical vulnerabilities affecting the services of these leading enterprise software providers.<\/p>\n<p>The US cybersecurity watchdog added vulnerabilities in Adobe ColdFusion (CVE-2017-3066) and Oracle Agile Product Lifecycle Management (PLM) (CVE-2024-20953) to its known exploited vulnerabilities (KEV) catalog on Monday.<\/p>\n<p>\u201cThese type of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,\u201d CISA said in the advisory.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Deserialization demons still haunt Adobe web development<\/h2>\n<p>The Adobe ColdFusion flaw flagged by CISA is an old Java deserialization bug in the Apache BlazeDS library, which received a critical severity rating of CVSS 9.8 out of 10 because it enables arbitrary code execution.<\/p>\n<p>Adobe disclosed CVE-2017-3066 in April 2017 along with hotfixes for all the affected versions, including Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier.<\/p>\n<p>\u201cThese hotfixes include an updated version of the Apache BlazeDS library to mitigate the Java deserialization vulnerability,\u201d Adobe said in <a href=\"https:\/\/helpx.adobe.com\/security\/products\/coldfusion\/apsb17-14.html\">an advisory<\/a> at the time.<\/p>\n<p>In a 2018 <a href=\"https:\/\/codewhitesec.blogspot.com\/2018\/03\/exploiting-adobe-coldfusion.html\">blog post<\/a>, Code White researchers detailed vulnerabilities in Adobe ColdFusion (versions 11 and 12), focusing on deserialization issues within the Action Message Format (AMF) used by ColdFusion for data exchange. Before CVE-2017-3066, they had discovered, ColdFusion lacked class whitelisting, allowing attackers to exploit java.io.Externalizable for remote code execution.<\/p>\n<p>CISA did not disclose specific details of exploitation for security reasons, waring all organizations to promptly patch vulnerable systems against potential threats.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Oracle Agile PLM flaw open to N-days<\/h2>\n<p>The other vulnerability, fixed in January 2024, is a high severity (CVSS 8.8\/10) flaw in the export component of the Oracle\u2019s PLM software, and stems from the improper handling of serialized data. It\u2019s tracked as CVE-2024-20953. Successful exploitation could enable a low-privileged attacker with network access via HTTP to execute arbitrary codes, potentially allowing full system takeover.<\/p>\n<p>The flaw affects Oracle Agile PLM version 9.3.6 and received a fix from Oracle in a January 2024 critical patch update. Although immediate patching was strongly recommended for complete protection, a workaround was also available for quicker relief.<\/p>\n<p>\u201cUntil you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack,\u201d Oracle said <a href=\"https:\/\/www.oracle.com\/security-alerts\/cpujan2024.html?utm_source=chatgpt.com\">in an advisory<\/a>. \u201cFor attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack.\u201d<\/p>\n<p>CISA\u2019s update highlights the importance of promptly patching critical deserialization vulnerabilities that can enable complete system takeover.<\/p>\n<p>In another example of offering obvious advice that is nevertheless not always followed, the federal agency <a href=\"https:\/\/www.csoonline.com\/article\/3823937\/cisa-fbi-call-software-with-buffer-overflow-issues-unforgivable.html\">recently described buffer overflow flaws<\/a> in code as \u201cunforgivable\u201d for their criticality and the fact that most of them can be avoided through the straightforward practice of shifting to memory safe languages.<\/p>\n<p>Federal Civilian Executive Branch (FCEB) networks, the non-military federal government networks managed by civilian agencies in the US, have been urged to promptly patch the latest vulnerabilities as per the <a href=\"https:\/\/www.csoonline.com\/article\/571567\/cisa-releases-directive-to-remediate-dangerous-vulnerabilities-across-civilian-agencies.html\">BOD 22-01<\/a> directive.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CISA is warning Adobe and Oracle customers about in-the-wild exploitation of critical vulnerabilities affecting the services of these leading enterprise software providers. The US cybersecurity watchdog added vulnerabilities in Adobe ColdFusion (CVE-2017-3066) and Oracle Agile Product Lifecycle Management (PLM) (CVE-2024-20953) to its known exploited vulnerabilities (KEV) catalog on Monday. \u201cThese type of vulnerabilities are frequent [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2085,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2084","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2084"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2084"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2084\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2085"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}