Versions of Coldfusion 10, 11, and 2016 have an insecure deserialization vulnerability. The vulnerability can be exploited via a specially crafted AMF3 payload that causes a TCP connection from the vulnerable server to an arbitrary IP and port. The callback server can then respond with a specially crafted payload which will be deserialized, possibly leading to remote code execution.
- An attacker sends serialized objects to the server. This will cause the server to send out a connection to the callback IP on the callback port.
- The vulnerable server responds with a generic error.
- The vulnerable server now receives payload from the malicious callback server.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.