Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2017-3066 (CVSS score: 9.8) - A deserialization vulnerability impacting
Analysis Summary
# Vulnerability: Actively Exploited Flaws in Adobe ColdFusion and Oracle Agile PLM
## CVE Details
- CVE ID: CVE-2017-3066 and CVE-2024-20953
- CVSS Score: 9.8 (CVE-2017-3066, Critical), 8.8 (CVE-2024-20953, High)
- CWE: Deserialization Vulnerability (Implied for both)
## Affected Systems
- Products:
- Adobe ColdFusion (Affected by CVE-2017-3066)
- Oracle Agile Product Lifecycle Management (PLM) (Affected by CVE-2024-20953)
- Versions: Not explicitly listed in the summary, but the fixes indicate prior versions.
- Configurations: For CVE-2024-20953, exploitation requires network access via HTTP.
## Vulnerability Description
**CVE-2017-3066 (Adobe ColdFusion):** A deserialization vulnerability present in the Apache BlazeDS library component of Adobe ColdFusion, which can lead to arbitrary code execution.
**CVE-2024-20953 (Oracle Agile PLM):** A deserialization vulnerability that allows a low-privileged attacker with network access via HTTP to compromise the system.
Both vulnerabilities are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
## Exploitation
- Status: Actively Exploited (As per CISA KEV listing)
- Complexity: Not detailed, but deserialization flaws often imply **Medium** to **Low** complexity for network-based remote code execution.
- Attack Vector: Network (for CVE-2024-20953, requiring network access via HTTP).
## Impact
- Confidentiality: [Not specified, likely High if RCE is achieved]
- Integrity: [Not specified, likely High if RCE is achieved]
- Availability: [Not specified, likely High if RCE is achieved]
## Remediation
### Patches
- **CVE-2017-3066 (Adobe ColdFusion):** Fixed in April 2017 (Referenced advisory: apsb17-14).
- **CVE-2024-20953 (Oracle Agile PLM):** Fixed in January 2024 (Referenced advisory: cpujan2024).
Users are strongly recommended to apply the necessary updates released by the respective vendors. Federal agencies have a deadline of March 17, 2025, to secure their networks against these threats.
### Workarounds
- No specific workarounds are mentioned in the provided text, other than applying the available patches.
## Detection
- Detection information is not provided specifically for these two CVEs, beyond the fact that CISA has confirmed evidence of active exploitation.
## References
- [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) (Defanged: hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- CVE-2017-3066 Record (Defanged: hxxps://www.cve.org/CVERecord?id=CVE-2017-3066)
- Adobe Security Advisory APSB17-14 (Defanged: hxxps://helpx.adobe.com/security/products/coldfusion/apsb17-14.html)
- CVE-2024-20953 Record (Defanged: hxxps://www.cve.org/CVERecord?id=CVE-2024-20953)
- Oracle Security Alert (Defanged: hxxps://www.oracle.com/security-alerts/cpujan2024.html)