CVE-2024-20767- ColdFusion Path Traversal can lead to reading important data
CVE-2024-20767 is a vulnerability in ColdFusion versions 2023.6, 2021.12, and earlier. These versions are affected by an improper access control vulnerability that could allow arbitrary file system reads. An attacker could exploit this vulnerability to bypass security measures, gain unauthorized access to sensitive files, and perform arbitrary file system writes. Exploiting this issue does not require user interaction. The vulnerability has a high CVSS score, making it a significant risk to assets that are vulnerable to this bug.
Based on the Fofa search engine there is over 145.000 over the world who have a public application using ColdFusion
And, Some of them leave the admin panel accessible, and it can get exploited by the above bug because the root cause was by the admin functionality endpoint
Attackers easily can use any public exploit like the following example
Going to the security section then allowing IP Addresses and adding the local IPs that are only allowed to use of the admin panel this action will limit the people who can use admin functionality to avoid leaking the uuid which is very important for privilege in ColdFusion security flow
As we see after applying the change now we cannot exploit the target because the accessing restriction
CVE-2024-21216 – Weblogic Unauthenticated RCE
CVE-2024-21216 is a vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected include 12.2.1.4.0 and 14.1.1.0.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via T3 and IIOP to compromise the Oracle WebLogic Server. Successful exploitation of this vulnerability can result in the takeover of the Oracle WebLogic Server. The CVSS base score is 9.8, which is very critical.
The PoC has not been published yet but to avoid a WebLogic server takeover, as shown in the below picture in the Nmap scan comes with a Weblogic version
To manage the network connection We need to use the weblogic.security.net.ConnectionFilterImpl to filter the access to T3
By applying the below network rules based on the environment it will restrict access to the public connection to access the T3 protocol to avoid being attacked over it
127.0.0.1 * * allow t3 t3s # Allow T3/T3s access from localhost
<local_IP> * * allow t3 t3s # Allow T3/T3s access from the local IP
<allowed_IP> * * allow t3 t3s # Allow T3/T3s access from a specific trusted IP
* * * deny t3 t3s # Deny all other T3/T3s access
To disable IIOP, Go to servers and then AdminServer(admin) Configuration
Then, go to Protocols, select IIOP, and disable this protocol by unchecking Enable IIOP
And then save and restart Weblogic by running ./StopWeblogic.sh and start it again with ./StartWeblogic.sh
Running the Nmap scan again shows a handshake failure this time due to the restriction of T3 protocol
Recommendation
It’s always recommended that the official patch be applied. However, in large environments, it may not be feasible to do so immediately. In this blog post, we aim to manually limit the vulnerability risk, without patching the application. Keep in mind that these mitigations may restrict access and disable certain functionality within the application
References