Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, the vulnerability is triggered when a crafted network packet is sent to the server.

Security updates available for Adobe ColdFusion | APSB22-44

Adobe has released security updates for ColdFusion versions 2021 and 2018. These updates resolve Critical, Important and Moderate  vulnerabilities that could lead to arbitrary code execution, arbitrary file system write, security feature bypass and privilege escalation.

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.  See the relevant Tech Notes for more details. 

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

*   ColdFusion 2018 Auto-Lockdown guide   
*   ColdFusion 2021 Lockdown Guide

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   rgod working with Trend Micro Zero Day Initiative - CVE-2022-35710, CVE-2022-35711, CVE-2022-35690, CVE-2022-35712, CVE-2022-38418, CVE-2022-38419, CVE-2022-38420, CVE-2022-38421, CVE-2022-38422, CVE-2022-38423, CVE-2022-38424
*   reillyb - CVE-2022-42340, CVE-2022-42341

**ColdFusion JDK Requirement**

**COLDFUSION 2021 (version 2021.0.0.323925) and above**

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

**COLDFUSION 2018 HF1 and above**  

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com

CVE-2022-35690: Adobe Security Bulletin

Adobe Acrobat Reader versions 22.002.20212 (and earlier) and 20.005.30381 (and earlier) are affected by a NULL Pointer Dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Acrobat and Reader  | APSB22-46

**Bulletin ID**

**Date Published**

**Priority**

APSB22-46

October 11, 2022

3

**Summary**

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to application denial-of-service and memory leak.                    

**Affected Versions**

**Product**

**Track**

**Affected Versions**

**Platform**

Acrobat DC 

Continuous 

22.002.20212 and earlier versions

Windows &  macOS

Acrobat Reader DC

Continuous 

22.002.20212 and earlier versions  

Windows & macOS

Acrobat 2020  

Classic 2020             

20.005.30381 and earlier versions

Windows & macOS  

Acrobat Reader 2020  

Classic 2020             

20.005.30381 and earlier versions  

Windows & macOS  

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page. 

**Solution**

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Product**

**Track**

**Updated Versions**

**Platform**

**Priority Rating**

**Availability**

Acrobat DC

Continuous

22.003.20258  

Windows and macOS

3

Release Notes     

Acrobat Reader DC

Continuous

22.003.20258  

Windows and macOS

3

Release Notes     

Acrobat 2020  

Classic 2020             

20.005.30407

Windows  and macOS    

3

Release Notes     

Acrobat Reader 2020  

Classic 2020   

20.005.30407  

Windows  and macOS   

3

Release Notes   

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**

CVSS vector

**CVE Number**

NULL Pointer Dereference (CWE-476)  

Application denial-of-service  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

CVE-2022-35691  

Use After Free (CWE-416)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38437  

Stack-based Buffer Overflow (CWE-121)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

  
CVE-2022-38450  

Stack-based Buffer Overflow (CWE-121)  

Arbitrary code execution  

Critical  

7.8  

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-42339  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38449  

Out-of-bounds Read (CWE-125)  

Memory leak  

Important  

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-42342  

**Acknowledgements**

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:   

*   Suyue Guo and Wei You from Renmin University of China (ruc\_se\_sec) - CVE-2022-35691  
    
*   Gil Mansharov (gilmansharov) - CVE-2022-38437
*   Rocco Calvi (@TecR0c) working with Trend Micro Zero Day Initiative - CVE-2022-42342  
    
*   soiax working with Trend Micro Zero Day Initiative - CVE-2022-38449
*   Zhiyuan Wang、Li shuang and willJ of vulnerability research institute - CVE-2022-42339,   
    CVE-2022-38450

**Revisions:**

July 26, 2022: Added CVE details for CVE-2022-35669

May 9th, 2022: Added CVE details for CVE-2022-28837, CVE-2022-28838

April 18, 2022: Updated acknowledgement for CVE-2022-24102, CVE-2022-24103, CVE-2022-24104  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-35691: Adobe Security Bulletin

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6c0414.

**Product Link**

https://github.com/caryll/otfcc

**POC file**

https://github.com/Cvjark/Poc/files/9059919/id110\_heap\_buffer\_overflow\_sample\_otfccdump%2B0x6c0414.zip

**Command to reproduce**

./otfccbuild --pretty [sample file] -o /dev/null

**Product name & version**

last github commit code : 617837b

**Problem Type**

heap-buffer-overflow

**Crash Detail**

    ==102472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa28a7e5808 at pc 0x0000006c0415 bp 0x7ffe8b844290 sp 0x7ffe8b844288
    READ of size 8 at 0x7fa28a7e5808 thread T0
        #0 0x6c0414  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6c0414)
        #1 0x527687  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x527687)
        #2 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #3 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #4 0x7fa28e8f7c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #5 0x41c549  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x41c549)
    
    0x7fa28a7e5808 is located 8 bytes to the right of 1048576-byte region [0x7fa28a6e5800,0x7fa28a7e5800)
    allocated by thread T0 here:
        #0 0x4aecd8 in calloc (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4aecd8)
        #1 0x526fd2  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x526fd2)
        #2 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #3 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #4 0x7fa28e8f7c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6c0414) 
    Shadow bytes around the buggy address:
      0x0ff4d14f4ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff4d14f4ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff4d14f4ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff4d14f4ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff4d14f4af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff4d14f4b00: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff4d14f4b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff4d14f4b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff4d14f4b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff4d14f4b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff4d14f4b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==102472==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6c0414)

CVE-2022-35059: Poc/CVE-2022-35059.md at main · Cvjark/Poc

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b05ce.

**Product Link**

https://github.com/caryll/otfcc

**POC file**

https://github.com/Cvjark/Poc/files/9059921/id117\_heap\_buffer\_overflow\_sample\_otfccdump%2B0x6b05ce.zip

**Command to reproduce**

./otfccbuild --pretty [sample file] -o /dev/null

**Product name & version**

last github commit code : 617837b

**Problem Type**

heap-buffer-overflow

**Crash Detail**

    ==102877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000418 at pc 0x0000006b05cf bp 0x7ffe00e2fc60 sp 0x7ffe00e2fc58
    READ of size 1 at 0x619000000418 thread T0
        #0 0x6b05ce  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b05ce)
        #1 0x6b99ca  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b99ca)
        #2 0x527687  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x527687)
        #3 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #4 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #5 0x7fb14c4a8c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41c549  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x41c549)
    
    0x619000000418 is located 0 bytes to the right of 920-byte region [0x619000000080,0x619000000418)
    allocated by thread T0 here:
        #0 0x4aecd8 in calloc (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4aecd8)
        #1 0x6b536b  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b536b)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b05ce) 
    Shadow bytes around the buggy address:
      0x0c327fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c327fff8080: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff80b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c327fff80c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c327fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==102877==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b05ce)

CVE-2022-35058: Poc/CVE-2022-35058.md at main · Cvjark/Poc

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b0478.

CVE-2022-35056

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6c0473.

CVE-2022-35055

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6171b2.

CVE-2022-35054

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x61731f.

CVE-2022-35053

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b84b1.

CVE-2022-35052

OTFCC commit 617837b was discovered to contain a heap buffer overflow via /release-x64/otfccdump+0x6b55af.

**Product Link**

https://github.com/caryll/otfcc

**POC file**

https://github.com/Cvjark/Poc/files/9059902/id53\_heap\_buffer\_overflow\_sample\_otfccdump%2B0x6b55af.zip

**Command to reproduce**

./otfccbuild --pretty [sample file] -o /dev/null

**Product name & version**

last github commit code : 617837b

**Problem Type**

heap-buffer-overflow

**Crash Detail**

    ==112975==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6120000005cb at pc 0x0000006b55b0 bp 0x7ffce76ca210 sp 0x7ffce76ca208
    READ of size 1 at 0x6120000005cb thread T0
        #0 0x6b55af  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b55af)
        #1 0x6b6b99  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b6b99)
        #2 0x5265aa  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x5265aa)
        #3 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #4 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #5 0x7fc4b3c13c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #6 0x41c549  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x41c549)
    
    0x6120000005cb is located 0 bytes to the right of 267-byte region [0x6120000004c0,0x6120000005cb)
    allocated by thread T0 here:
        #0 0x4aecd8 in calloc (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4aecd8)
        #1 0x6b69c5  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b69c5)
        #2 0x4fe3fe  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4fe3fe)
        #3 0x4f5710  (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x4f5710)
        #4 0x7fc4b3c13c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b55af) 
    Shadow bytes around the buggy address:
      0x0c247fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c247fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
      0x0c247fff8090: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c247fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c247fff80b0: 00 00 00 00 00 00 00 00 00[03]fa fa fa fa fa fa
      0x0c247fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c247fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==112975==ABORTING
    

**Crash summary**

    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/bupt/Desktop/otfcc/bin/release-x64/otfccdump+0x6b55af)

Tag

#buffer_overflow