ColdFusion and USAHERDS web-application Vulnerabilities
ColdFusion
is an application server. ColdFusion is also a web programming language that allows a web
application communicate with various back-end systems.
Using ColdFusion, you can create dynamic web pages
that offer user input, database lookups, time of day, or any other criteria you
require.
ColdFusion is used by the US Social Security
Administration, the Food and Drug Administration, The Kennedy Center, the State
Department, and the Fortune 100 websites.
ColdFusion
Builder reached the end-of-life, effective Oct 1, 2024.
Vulnerability:
- v A critical security flaw in ColdFusion such as exploit that could cause an arbitrary file system read.
Recommendation:
ΓΌ
The vulnerability has been addressed in ColdFusion 2023 Update 12. Recommended
to apply the patches to mitigate potential risks.
USAHERDS,
USALIMS, USAPlants, USAFoodSafety, and USAMeals are web applications developed
by Acclaim Systems to assist U.S. government agencies in tracking and managing animal
health, as well as controlling disease outbreaks, which is part of the
AgraGuard product suite, which supports agriculture and food safety operations.
Vulnerability:
- v This involves the use of
hardcoded credentials such as static Validation Key and Decryption
Key values, allowing attackers to execute malicious code on the USAHERDS,
USALIMS, USAPlants, USAFoodSafety, and USAMeals web applications.
With these keys for the web applications, one can
construct a malicious View State that passes the MAC check and will be
deserialized by the server. This deserialization can result in the execution of
code on the server.
Note:
More than 125,000 ColdFusion servers are deployed, ColdFusion is one of the most widely adopted web technologies, and a total of 643,663 websites use ColdFusion, across the globe.