The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog by adding two critical vulnerabilities, both actively being exploited in the wild. These vulnerabilities, related to Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM), have been identified as security risks to federal agencies and organizations worldwide.
The vulnerabilities in question are CVE-2017-3066, a deserialization vulnerability affecting Adobe ColdFusion, and CVE-2024-20953, a similar vulnerability found within Oracle’s Agile PLM. Deserialization vulnerabilities, such as these, occur when untrusted data is used by a program to reconstruct an object or other data structure. Malicious actors often exploit these flaws to execute arbitrary code, potentially compromising systems.
CVE-2017-3066: Adobe ColdFusion Deserialization Vulnerability
CVE-2017-3066 refers to a Java deserialization vulnerability within the Apache BlazeDS library in Adobe ColdFusion. This vulnerability is particularly prevalent in older versions of ColdFusion, including ColdFusion 2016 Update 3 and earlier, ColdFusion 11 Update 11 and earlier, and ColdFusion 10 Update 22 and earlier. Adobe confirmed that the vulnerability could allow remote attackers to execute arbitrary code on the affected systems if successfully exploited.
For organizations running these older versions of Adobe ColdFusion, the risk is significant. Exploiting this deserialization vulnerability could enable attackers to gain unauthorized access to sensitive data or control over the affected systems. The vulnerability was discovered by Moritz Bechler of AgNO3 GmbH & Co. KG and was subsequently addressed by Adobe with security hotfixes. These updates mitigate the Java deserialization vulnerability by updating the Apache BlazeDS library, effectively patching the flaw.
Adobe issued hotfixes to resolve the issue, which are highly recommended for customers using vulnerable versions of ColdFusion. Users are advised to upgrade to ColdFusion 2016 Update 4, ColdFusion 11 Update 12, or ColdFusion 10 Update 23. These updates can be found in Adobe’s technical notes, which also contain security configuration guidelines for enhancing system protection.
CVE-2024-20953: Oracle Agile PLM Deserialization Vulnerability
Another addition to the CISA catalog is CVE-2024-20953, a vulnerability found in Oracle’s Agile Product Lifecycle Management (PLM) system. Oracle published this vulnerability on February 17, 2024, and it affects Agile PLM version 9.3.6. This deserialization vulnerability is especially concerning, as it is easily exploitable by low-privileged attackers with network access via HTTP. Successful exploitation of CVE-2024-20953 could lead to the complete takeover of the Oracle Agile PLM system, giving attackers the ability to manipulate data, compromise confidentiality, integrity, and availability, and potentially cause severe operational disruptions.
With a CVSS (Common Vulnerability Scoring System) score of 8.8, this vulnerability is classified as high severity, impacting not only the confidentiality and integrity of the system but also its availability. Exploits targeting this vulnerability could result in disastrous consequences, especially in environments where Oracle Agile PLM plays a central role in managing supply chains, product lifecycles, and other critical business functions.
Oracle strongly urges users to apply available patches provided in their Critical Patch Update released in January 2024. As is the case with many security flaws, Oracle emphasizes the importance of keeping systems updated and recommends that customers ensure their installations are patched to prevent exploitation. Organizations using older or unsupported versions of Oracle Agile PLM are at heightened risk and should prioritize upgrading to more secure versions.
The Significance of Deserialization Vulnerabilities
Both CVE-2017-3066 and CVE-2024-20953 highlight the growing threat posed by deserialization vulnerabilities. These flaws allow attackers to inject malicious data into the deserialization process, enabling them to gain unauthorized access to systems, execute malicious code, or escalate their privileges. As demonstrated by both Adobe ColdFusion and Oracle Agile PLM, these types of vulnerabilities are widespread in various industries and software products.
Deserialization vulnerabilities are particularly dangerous because they often allow attackers to bypass traditional security defenses, such as input validation. Since these vulnerabilities are commonly exploited remotely, they represent a critical threat to both private and governmental organizations, particularly in environments that rely on enterprise-level solutions like ColdFusion or Agile PLM.
Conclusion
To mitigate the risks posed by CVE-2017-3066 and CVE-2024-20953, organizations must prioritize security best practices, such as regularly applying security patches provided by Adobe and Oracle, monitoring network traffic for suspicious activity, educating staff about safe practices, implementing strong access controls to protect sensitive data, and staying up-to-date with CISA’s Known Exploited Vulnerabilities Catalog.
As cyberattacks continue to target industries, protecting systems from these vulnerabilities should be a top priority. By following these strategies, organizations can reduce the likelihood of exploitation and minimize potential damage from attacks on affected products like Adobe ColdFusion and Oracle Agile PLM.