Adobe Security Bulletin

Last updated on Oct 13, 2021

Security update for Adobe Acrobat and Reader | APSB21-104

Bulletin ID	Date Published	Priority
APSB21-104	October 12, 2021	2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address  multiple critical and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. 

Affected Versions

Product	Track	Affected Versions	Platform
Acrobat DC	Continuous	21.007.20095 and earlier versions	Windows
Acrobat Reader DC	Continuous	21.007.20095 and earlier versions	Windows
Acrobat DC	Continuous	21.007.20096  and earlier versions	macOS
Acrobat Reader DC	Continuous	21.007.20096 and earlier versions	macOS

Acrobat 2020	Classic 2020	20.004.30015 and earlier versions	Windows & macOS
Acrobat Reader 2020	Classic 2020	20.004.30015 and earlier versions	Windows & macOS

Acrobat 2017	Classic 2017	17.011.30202 and earlier versions	Windows & macOS
Acrobat Reader 2017	Classic 2017	17.011.30202 and earlier versions	Windows & macOS

For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page.

For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page.

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

Users can update their product installations manually by choosing Help > Check for Updates.     
The products will update automatically, without requiring user intervention, when updates are detected.     
The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

For IT administrators (managed environments):     

Refer to the specific release note version for links to installers.     
Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product	Track	Updated Versions	Platform	Priority Rating	Availability
Acrobat DC	Continuous	21.007.20099	Windows and macOS	2	Release Notes
Acrobat Reader DC	Continuous	21.007.20099	Windows and macOS	2	Release Notes

Acrobat 2020	Classic 2020	20.004.30017	Windows and macOS	2	Release Notes
Acrobat Reader 2020	Classic 2020	20.004.30017	Windows and macOS	2	Release Notes

Acrobat 2017	Classic 2017	17.011.30204	Windows and macOS	2	Release Notes
Acrobat Reader 2017	Classic 2017	17.011.30204	Windows and macOS	2	Release Notes

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Number
Use After Free (CWE-416)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2021-40728
Out-of-bounds Read (CWE-125)	Privilege escalation	Moderate	3.3	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N	CVE-2021-40729
Use After Free (CWE-416)	Privilege escalation	Moderate	3.3	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N	CVE-2021-40730
Out-of-bounds Write (CWE-787)	Arbitrary code execution	Critical	7.8	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2021-40731

Acknowledgements

Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:  

Habooblabs (CVE-2021-40728, CVE-2021-40729)
Kai Lu of Zscaler's ThreatLabz (CVE-2021-40729)
Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-40730, CVE-2021-40731)

Revisions

October 13th: Updated acknowledgements for CVE-2021-40729

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe

Get help faster and easier

New user?