Critical deserialization bugs in Adobe, Oracle software actively exploited, warns CISA
In a 2018 blog post, Code White researchers detailed vulnerabilities in Adobe ColdFusion (versions 11 and 12), focusing on deserialization issues within the Action Message Format (AMF) used by ColdFusion for data exchange. Before CVE-2017-3066, they had discovered, ColdFusion lacked class whitelisting, allowing attackers to exploit java.io.Externalizable for remote code execution.
CISA did not disclose specific details of exploitation for security reasons, waring all organizations to promptly patch vulnerable systems against potential threats.
Oracle Agile PLM flaw open to N-days
The other vulnerability, fixed in January 2024, is a high severity (CVSS 8.8/10) flaw in the export component of the Oracle’s PLM software, and stems from the improper handling of serialized data. It’s tracked as CVE-2024-20953. Successful exploitation could enable a low-privileged attacker with network access via HTTP to execute arbitrary codes, potentially allowing full system takeover.
