CVE-2023-28500
Published: 06 April 2023
Summary
CVE-2023-28500 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Livecycle Es4. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A Java insecure deserialization vulnerability affects Adobe LiveCycle ES4 version 11.0 and earlier, as well as version 11.0.1 and later when deployed with Java 7u21 or earlier. The flaw stems from the application's use of insecure deserialization methods that accept untrusted Java serialized objects, falling under CWE-502, and permits remote code execution on the underlying operating system.
Unauthenticated attackers can exploit the issue over the network by submitting crafted serialized objects to a specific URL exposed by the LiveCycle application. Successful exploitation yields arbitrary code execution in the context of the account running the service; when that account holds elevated privileges, the attacker obtains privileged operating-system access. The vulnerability is present only in installations that remain on unsupported Java runtimes or on the discontinued LiveCycle product line.
The supplied references point to detailed advisory material hosted at coastalsecurity.gitbook.io that addresses the same LiveCycle exposure. Because the maintainer no longer supports the affected versions, the description indicates that continued use of the product itself constitutes the primary exposure vector. The associated EPSS score has remained flat at 0.2402 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32170
Vulnerability details
A Java insecure deserialization vulnerability in Adobe LiveCycle ES4 version 11.0 and earlier allows unauthenticated remote attackers to gain operating system code execution by submitting specially crafted Java serialized objects to a specific URL. Adobe LiveCycle ES4 version 11.0.1 and…
more
later may be vulnerable if the application is installed with Java environment 7u21 and earlier. Exploitation of the vulnerability depends on two factors: insecure deserialization methods used in the Adobe LiveCycle application, and the use of Java environments 7u21 and earlier. The code execution is performed in the context of the account that is running the Adobe LiveCycle application. If the account is privileged, exploitation provides privileged access to the operating system. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.