ColdFusion WDDX Deserialization RCE (CVE-2023-44353)
Description
Adobe ColdFusion contains a critical insecure deserialization vulnerability in its WDDX (Web Distributed Data eXchange) implementation. An unauthenticated remote attacker can exploit this flaw by sending a specially-crafted serialized WDDX payload to the server, leading to arbitrary code execution with the privileges of the ColdFusion application. This vulnerability affects ColdFusion 2023 (Update 5 and earlier) and ColdFusion 2021 (Update 11 and earlier).
Remediation
Immediately upgrade Adobe ColdFusion to a patched version as specified in Adobe Security Bulletin APSB23-52:
• For ColdFusion 2023: Upgrade to Update 6 or later
• For ColdFusion 2021: Upgrade to Update 12 or later
If immediate patching is not possible, implement the following temporary mitigations:
1. Restrict network access to ColdFusion administrative interfaces using firewall rules or access control lists
2. Monitor server logs for suspicious WDDX deserialization attempts
3. Disable WDDX functionality if not required for business operations
4. Apply web application firewall (WAF) rules to detect and block malicious serialized payloads
After patching, verify the installation by checking the ColdFusion Administrator version number and reviewing Adobe's security bulletin for additional post-update security hardening recommendations.