Bulletin ID
Security update available for Adobe Acrobat and Reader | APSB21-51
|
Date Published |
Priority |
---|---|---|
APSB21-51 |
July 13, 2021 |
2 |
Summary
Affected Versions
Track |
Affected Versions |
Platform |
|
Acrobat DC |
Continuous |
2021.005.20054 and earlier versions |
Windows and macOS |
Acrobat Reader DC |
Continuous |
2021.005.20054 and earlier versions |
Windows and macOS |
|
|
|
|
Acrobat 2020 |
Classic 2020 |
2020.004.30005 and earlier versions |
Windows & macOS |
Acrobat Reader 2020 |
Classic 2020 |
2020.004.30005 and earlier versions |
Windows & macOS |
|
|
|
|
Acrobat 2017 |
Classic 2017 |
2017.011.30197 and earlier versions |
Windows & macOS |
Acrobat Reader 2017 |
Classic 2017 |
2017.011.30197 and earlier versions |
Windows & macOS |
Solution
Adobe recommends users update their software installations to the latest versions by following the instructions below.
The latest product versions are available to end users via one of the following methods:
Users can update their product installations manually by choosing Help > Check for Updates.
The products will update automatically, without requiring user intervention, when updates are detected.
The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.
For IT administrators (managed environments):
Refer to the specific release note version for links to installers.
Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Track |
Updated Versions |
Platform |
Priority Rating |
Availability |
|
Acrobat DC |
Continuous |
2021.005.20058 |
Windows and macOS |
2 |
|
Acrobat Reader DC |
Continuous |
2021.005.20058 |
Windows and macOS |
2 |
|
|
|
|
|
|
|
Acrobat 2020 |
Classic 2020 |
2020.004.30006 |
Windows and macOS |
2 |
|
Acrobat Reader 2020 |
Classic 2020 |
2020.004.30006 |
Windows and macOS |
2 |
|
|
|
|
|
|
|
Acrobat 2017 |
Classic 2017 |
2017.011.30199 |
Windows and macOS |
2 |
|
Acrobat Reader 2017 |
Classic 2017 |
2017.011.30199 |
Windows and macOS |
2 |
Vulnerability Details
Vulnerability Category | Vulnerability Impact | Severity | CVSS base score |
CVSS vector |
CVE Number |
---|---|---|---|---|---|
Out-of-bounds Read (CWE-125) |
Memory leak | Important |
3.3 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | CVE-2021-35988 CVE-2021-35987 |
Path Traversal (CWE-22) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2021-35980 CVE-2021-28644 |
Use After Free (CWE-416) |
Arbitrary code execution |
Critical |
7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | CVE-2021-28640 |
Type Confusion (CWE-843) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2021-28643 |
Use After Free (CWE-416) |
Arbitrary code execution |
Critical |
8.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-28641 CVE-2021-28639 |
Out-of-bounds Write (CWE-787) |
Arbitrary file system write |
Critical |
8.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-28642 |
Out-of-bounds Read (CWE-125) |
Memory leak |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2021-28637 |
Type Confusion (CWE-843) |
Arbitrary file system read |
Important |
4.3 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
CVE-2021-35986 |
Heap-based Buffer Overflow (CWE-122) |
Arbitrary code execution |
Critical |
8.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-28638 |
NULL Pointer Dereference (CWE-476) |
Application denial-of-service |
Important |
5.5 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVE-2021-35985 CVE-2021-35984 |
Uncontrolled Search Path Element (CWE-427) |
Arbitrary code execution |
Critical |
7.3 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | CVE-2021-28636 |
OS Command Injection (CWE-78) |
Arbitrary code execution |
Critical |
8.2 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
CVE-2021-28634 |
Use After Free (CWE-416) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2021-35983 CVE-2021-35981 CVE-2021-28635 |
Acknowledgements
Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:
- Nipun Gupta , Ashfaq Ansari and Krishnakant Patil - CloudFuzz working with Trend Micro Zero Day Initiative (CVE-2021-35983)
- Xu Peng from UCAS and Wang Yanhao from QiAnXin Technology Research Institute working with Trend Micro Zero Day Initiative (CVE-2021-35981, CVE-2021-28638)
- Habooblabs (CVE-2021-35980, CVE-2021-28644, CVE-2021-35988, CVE-2021-35987, CVE-2021-28642, CVE-2021-28641, CVE-2021-35985, CVE-2021-35984, CVE-2021-28637)
- Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-28643, CVE-2021-35986)
- o0xmuhe (CVE-2021-28640)
- Kc Udonsi (@glitchnsec) of Trend Micro Security Research working with Trend Micro Zero Day Initiative (CVE-2021-28639)
- Noah (howsubtle) (CVE-2021-28634)
- xu peng (xupeng_1231) (CVE-2021-28635)
- Xavier Invers Fornells (m4gn3t1k) (CVE-2021-28636)
Revisions
July 14, 2021: Updated acknowledgement details for CVE-2021-28640.
July 15, 2021: Updated acknowledgement details for CVE-2021-35981.
July 29, 2021: Updated the CVSS base score and the CVSS vector for CVE-2021-28640, CVE-2021-28637, CVE-2021-28636.
July 29, 2021: Updated the Vulnerability Impact, Severity, CVSS base score and the CVSS vector for CVE-2021-35988, CVE-2021-35987, CVE-2021-35987, CVE-2021-28644
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.