Critical RCE Vulnerability in Adobe LiveCycle ES4v11.0
Vulnerability overview, remediation options, and legalese.
Written by Chris Temple and Alex Abrams. Published April 3rd, 2023.
CVE and CVSS Updates
CVE-2023-28500 assigned by cve.org on April 6th, 2023.
CVSS Score of 9.8 assigned by the National Vulnerability Database on April 14th, 2023. CVSS Score information can be found here.
Legal Disclaimer
The views expressed in this article reflect only the views of the authors and do not necessarily reflect those of our employer, its employees, shareholders, subsidiaries, or clients. The examples in this article are illustrative and not descriptive of any single environment. The authors published this article in good faith by adhering to a Coordinated Vulnerability Disclosure (CVD) program.
Introduction
In April of 2022, our employer was hired to conduct a web application penetration test for a payment-based application that relied heavily on interactive forms processing. Over the course of five business days, we identified and exploited a remote code execution (RCE) vulnerability in the forms processing component of the application that allowed us to transition from an unauthenticated adversary on the internet to a low-privileged user on a server in their secure web enclave.
In this article we'll provide the details of the vulnerability, a high-level overview of insecure deserialization, the attack path used to discover the vulnerability, and technical lessons learned for fellow penetration testers.
Vulnerability Information
Adobe LiveCycle ES4v11.0 has an Insecure Java Deserialization vulnerability that allows an unauthenticated adversary to gain RCE on the server where Adobe LiveCycle ES4 is installed. The adversary gains RCE on the server operating system (OS) in the context of the user or process that started the software. To remediate the vulnerability, at a minimum organizations need to upgrade to Adobe LiveCycle ES4v11.1 (also known as Service Pack 1) and update the underlying Java environment to Jdk7u21.
The reason Adobe LiveCycle is vulnerable is two-fold:
Adobe LiveCycle ES4v11.0 does not use safe methods of deserialization.
Adobe LiveCycle ES4v11.0 is dependent on a vulnerable version of Java (Jdk7u21) and cannot be used with a more current version of Java.
This Adobe link explains that Adobe LiveCycle ES4 does not support Java 7u25 until after the SP1 update.
The release notice for Service Pack 1 highlights the support for Java 7u25, but does not identify the associated security implications.
Chris Frohoff previously discovered the vulnerability in Java 7u21, which potentially applies to any application where the developer fails to deserialize objects using secure methods.
This vulnerability severely degrades the confidentiality, integrity, and availability of the associated web application and potentially provides a foothold into an organization's environment.
Mitigation and Remediation Options
According to Adobe's End-of-Life (EOL) matrix, extended support for Adobe LiveCycle products ended March 31, 2020.
Each of the following options could be used to mitigate or remediate the identified vulnerability:
Remediate - Upgrade to a new forms processing solution.
Remediate - Upgrade to Adobe LiveCycle ES4 v11.1 and upgrade the underlying Java environment to Java 7u25.
Mitigate - Architect the web application so forms processing by Adobe LiveCycle is not accessible to untrusted sources.
CVEs and the CVD Process
When cyber security professionals discover vulnerabilities, we follow a Coordinated Vulnerability Disclosure (CVD) process to responsibly disclose the vulnerability information: first to the vendor so the software can be patched; and second to the public, so they are aware they need to patch their systems. Vulnerabilities are typically disclosed to the public by assigning a Common Vulnerabilities and Exposure (CVE) number to the identified vulnerability. Additional information about the CVE program, history, and process can be found at cve.org.
Ideally, all organizations would only use the most up-to-date software available. In reality, organizations often have to prioritize their software patching efforts based on business needs and resource constraints, which may lead to using EOL or unpatched software. For this reason, the mission of the CVE program includes cataloging vulnerabilities in EOL software as well as current software. Additional information can be found in the CVE End of Life Vulnerability Assignment Process.
As the first CVE Numbering Authority (CNA) for Adobe products (and the affected vendor), we first contacted Adobe about the discovered vulnerability. Since the specific software is EOL, Adobe decided not to issue a CVE for this vulnerability. As outlined in the CVE process, we then escalated the issue to the CNA above Adobe: MITRE.
Disclosure Timeline
Wednesday, July 6, 2022: We notified Adobe via email that we identified a critical vulnerability affecting Adobe LiveCycle ES4v11.0.
Monday, July 11, 2022: Adobe responded, "As always, we recommend customers stay up to date on the latest available version of supported Adobe products to receive any security fixes."
Tuesday, July 19, 2022: We reiterated the security concern of the vulnerability and that publishing a notice of the vulnerability would warn customers to update their product.
Wednesday, July 20, 2022: Adobe responded, "We believe [publishing a notice] would enforce the wrong message to customers that Adobe still actively supports this product and is protecting users through documented CVEs."
Tuesday, October 18, 2022: We contacted MITRE, the CNA above Adobe, regarding the vulnerability. MITRE noted we must publish a public article so they can review the details and issue a CVE if necessary.
Monday, April 3, 2023: Over 270 days have passed since initial disclosure of the vulnerability. We publish this article with the intent of raising awareness of the vulnerability, so that customers will patch or upgrade their software.
Last updated