==================================================================== CERT-Renater Note d'Information No. 2021/VULN087 _____________________________________________________________________ DATE : 10/02/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems Adobe Acrobat, Adobe Reader versions prior to 2021.001.20135, 2020.001.30020, 2017.011.30190. ===================================================================== https://helpx.adobe.com/security/products/acrobat/apsb21-09.html _____________________________________________________________________ Security update available for Adobe Acrobat and Reader | APSB21-09 Bulletin ID Date Published Priority APSB21-09 February 09, 2021 1 Summary Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user. Adobe has received a report that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows. Affected Versions Product Track Affected Versions Platform Acrobat DC Continuous 2020.013.20074 and earlier versions          Windows & macOS Acrobat Reader DC Continuous 2020.013.20074 and earlier versions        Windows & macOS Acrobat 2020 Classic 2020  2020.001.30018 and earlier versions Windows & macOS Acrobat Reader 2020 Classic 2020          2020.001.30018 and earlier versions Windows & macOS Acrobat 2017 Classic 2017 2017.011.30188 and earlier versions Windows & macOS Acrobat Reader 2017 Classic 2017 2017.011.30188  and earlier versions     Windows & macOS Solution Adobe recommends users update their software installations to the latest versions by following the instructions below.     The latest product versions are available to end users via one of the following methods:     Users can update their product installations manually by choosing Help > Check for Updates.      The products will update automatically, without requiring user intervention, when updates are detected.      The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.      For IT administrators (managed environments):      Refer to the specific release note version for links to installers.      Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.         Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:     Product Track Updated Versions Platform Priority Rating Availability Acrobat DC Continuous 2021.001.20135    Windows and macOS 1 Release Notes Acrobat Reader DC Continuous 2021.001.20135  Windows and macOS 1 Release Notes Acrobat 2020 Classic 2020   2020.001.30020 Windows and macOS    1 Release Notes Acrobat Reader 2020 Classic 2020   2020.001.30020 Windows and macOS     1 Release Notes Acrobat 2017 Classic 2017 2017.011.30190  Windows and macOS 1 Release Notes Acrobat Reader 2017 Classic 2017 2017.011.30190  Windows and macOS 1 Release Notes Vulnerability Details Vulnerability Category Vulnerability Impact Severity CVE Number Buffer overflow Application denial-of-service Important CVE-2021-21046 Heap-based Buffer Overflow Arbitrary code execution Critical CVE-2021-21017 Path Traversal Arbitrary code execution Critical CVE-2021-21037 Integer Overflow Arbitrary code execution Critical CVE-2021-21036 Improper Access Control Privilege escalation Critical CVE-2021-21045 Out-of-bounds Read Privilege escalation Important CVE-2021-21042 CVE-2021-21034 Use-after-free Information Disclosure Important CVE-2021-21061 Out-of-bounds Write Arbitrary code execution Critical CVE-2021-21044 CVE-2021-21038 Buffer overflow Arbitrary code execution Critical CVE-2021-21058 CVE-2021-21059 CVE-2021-21062 CVE-2021-21063 NULL Pointer Dereference Information Disclosure Important CVE-2021-21057 Improper Input Validation Information Disclosure Important CVE-2021-21060 Use After Free Arbitrary code execution Critical CVE-2021-21041 CVE-2021-21040 CVE-2021-21039 CVE-2021-21035 CVE-2021-21033 CVE-2021-21028 CVE-2021-21021 Acknowledgements Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers. Anonymously reported (CVE-2021-21017) Nipun Gupta, Ashfaq Ansari, and Krishnakant Patil - CloudFuzz (CVE-2021-21041) Mark Vincent Yason (@MarkYason) working with Trend Micro Zero Day Initiative (CVE-2021-21042, CVE-2021-21034) Fenghan_zuijinyoukongma_woxiangyueniyiqichifankandianying working with Trend Micro Zero Day Initiative (CVE-2021-21035, CVE-2021-21033, CVE-2021-21028, CVE-2021-21021) AIOFuzzer working with Trend Micro Zero Day Initiative (CVE-2021-21044, CVE-2021-21061) 360CDSRC in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21037) Will Dormann of CERT/CC (CVE-2021-21045) Xuwei Liu (shellway) (CVE-2021-21046) 胖 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21040) 360政企安全漏洞研究院 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21039) 蚂蚁安全光年实验室基础研究小组 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21038) CodeMaster in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21036) Xinyu Wan (wxyxsx) (CVE-2021-21057) Haboob Labs (CVE-2021-21060) Zhibin Zhang (zzbthechaos) (CVE-2021-21058, CVE-2021-21059, CVE-2021-21062, CVE-2021-21063) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================