Adobe ColdFusion¤Ë¤ª¤±¤ë¿¼¹ï¤ÊÀȼåÀ­¡¢¹¶·â¤Ø¤Î°­ÍѤò³Îǧ

Imperva¤Ï2023ǯ4·î4Æü(Êƹñ»þ´Ö)¡¢¡ÖCVE-2023-26360 - Adobe ColdFusion Arbitrary Code Execution¡ÃImperva¡×¤Ë¤ª¤¤¤Æ¡¢Adobe ColdFusion¤Ë¸ºß¤¹¤ëÀȼåÀ­¤¬ÀѶËŪ¤Ë°­ÍѤµ¤ì¤Æ¤¤¤ë¤³¤È¤òÅÁ¤¨¤¿¡£¤³¤ÎÀȼåÀ­¤ÏÉÔŬÀڤʥ¢¥¯¥»¥¹¥³¥ó¥È¥í¡¼¥ë¤ËʬÎव¤ì¡¢°­ÍѤϥ桼¥¶¤ÎÁàºî¤òɬÍפȤ»¤º¡¢Ç¤°Õ¤Î¥³¡¼¥É¤¬¼Â¹Ô¤µ¤ì¤Æ¤·¤Þ¤¦²ÄǽÀ­¤¬¤¢¤ë¤¿¤áÃí°Õ¤¬É¬Íס£

CVE-2023-26360 - Adobe ColdFusion Arbitrary Code Execution¡ÃImperva

Adobe ColdFusion¤Î¥Ð¡¼¥¸¥ç¥ó2021¤ª¤è¤Ó2018¤Ë±Æ¶Á¤òÍ¿¤¨¤ëÀȼåÀ­(CVE-2023-26360)¤¬ÀѶËŪ¤Ë°­ÍѤµ¤ì¤Æ¤¤¤ë¤³¤È¤¬Imperva¤ÎÊó¹ð¤Ë¤è¤êȽÌÀ¤·¤¿¡£¤³¤ÎÀȼåÀ­¤ËÂФ¹¤ë³µÇ°¼Â¾Ú(PoC: Proof of Concept)¤Ï¤Þ¤À¸ø³«¤µ¤ì¤Æ¤¤¤Ê¤¤¤¬¡¢²áµî¿ôÆü´Ö¤Ë¤ª¤¤¤Æ¡¢Æ±¼Ò¤ÎWeb¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë(WAF: Web Application Firewall)¤Ë¤è¤ê¡¢¿ôÉ´·ï¤Î°­ÍѤλî¤ß¤¬¹Ô¤ï¤ì¤¿¤³¤È¤¬ÌÀ¤é¤«¤È¤Ê¤Ã¤¿¡£

¤Û¤È¤ó¤É¤Î°­ÍѤϡ¢Go¥×¥í¥°¥é¥ß¥ó¥°¸À¸ì¤Çµ­½Ò¤µ¤ì¤¿¼«Æ°¥Ï¥Ã¥­¥ó¥°¥Ä¡¼¥ë¤Ë¤è¤Ã¤Æ¼Â¹Ô¤µ¤ì¤Æ¤¤¤¿¤È¤¤¤¦¡£¹¶·â¼Ô¤¬Adobe ColdFusion¥µ¡¼¥Ð¤«¤é¼¡¤Î¤è¤¦¤Êµ¡Ì©¥Õ¥¡¥¤¥ë¤òÅð¤ß½Ð¤½¤¦¤È»î¤ß¤¿¤³¤È¤â³Îǧ¤µ¤ì¤Æ¤¤¤ë¡£

Neo-runtime.xml

Seed.properties

Password.properties

°­°Õ¤Î¤¢¤ëWeb¥·¥§¥ë¤ò¥µ¡¼¥Ð¤Ë¥¢¥Ã¥×¥í¡¼¥É¤·¤è¤¦¤È»î¤ß¤¿¤³¤È¤â¤ï¤«¤Ã¤¿¡£°­°Õ¤Î¤¢¤ë¥Ä¡¼¥ë¤Ï¥Æ¥­¥¹¥È¤È¤·¤ÆÊݸ¤µ¤ì¤Æ¤ª¤ê¡¢¥µ¡¼¥Ð¤Ë¥¢¥Ã¥×¥í¡¼¥É¤µ¤ì¤ë¤ÈCFM(Cold Fusion Markup)¥¹¥¯¥ê¥×¥È¤ËÊÑ´¹¤µ¤ì¥ê¥â¡¼¥È¤Ç¥³¡¼¥É¤¬¼Â¹Ô¤µ¤ì¤ë²ÄǽÀ­¤¬¤¢¤Ã¤¿¤ÈÊó¹ð¤·¤Æ¤¤¤ë¡£

³ºÅö¤¹¤ëAdobeÀ½Éʤò»È¤Ã¤Æ¤¤¤ë¾ì¹ç¤Ï¡¢Ä󶡤µ¤ì¤Æ¤¤¤ëCVE¾ðÊó¤ä¥Ù¥ó¥À¤ÎÄ󶡤¹¤ë¾ðÊó¤ò³Îǧ¤¹¤ë¤È¤È¤â¤Ë¡¢Â®¤ä¤«¤Ë¥¢¥Ã¥×¥Ç¡¼¥È¤òŬÍѤ¹¤ë¤³¤È¤¬¿ä¾©¤µ¤ì¤ë¡£