====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN273
_____________________________________________________________________

DATE                : 12/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running Adobe Acrobat, Adobe Reader versions
prior to 2021.001.20150, 2021.001.20149, 2020.001.30020, 2017.011.30194.

=====================================================================
https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
_____________________________________________________________________

Security update available for Adobe Acrobat and Reader | APSB21-29

Bulletin ID    Date Published     Priority

APSB21-29      May 11, 2021       1


Summary

Adobe has released security updates for Adobe Acrobat and Reader for
Windows and macOS. These updates address multiple critical and
important vulnerabilities. Successful exploitation could lead to
arbitrary code execution in the context of the current user.

Adobe has received a report that CVE-2021-28550 has been exploited in
the wild in limited attacks targeting Adobe Reader users on Windows.


Affected Versions

Product      Track       Affected Versions       Platform

Acrobat DC   Continuous  2021.001.20150 and earlier versions         
	Windows

Acrobat Reader DC  Continuous
2021.001.20150 and earlier versions        Windows

Acrobat DC    Continuous   2021.001.20149 and earlier 
versions      macOS

Acrobat Reader DC     Continuous 2021.001.20149 and earlier 
versions          macOS



Acrobat 2020     Classic 2020    2020.001.30020 and earlier versions
	Windows & macOS

Acrobat Reader 2020    Classic 2020   2020.001.30020 and earlier
versions     Windows & macOS

Acrobat 2017   Classic 2017  2017.011.30194 and earlier 
versions        Windows & macOS

Acrobat Reader 2017     Classic 2017    2017.011.30194 
and earlier versions        Windows & macOS


Solution

Adobe recommends users update their software installations to the latest
versions by following the instructions below.    

The latest product versions are available to end users via one of the
following methods:    

    Users can update their product installations manually by choosing
Help > Check for Updates.     

    The products will update automatically, without requiring user
intervention, when updates are detected.     

    The full Acrobat Reader installer can be downloaded from the Acrobat
Reader Download Center.     

For IT administrators (managed environments):     

    Refer to the specific release note version for links to
installers.     

    Install updates via your preferred methodology, such as AIP-GPO,
bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and
SSH.    


Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:    

Product    Track     Updated Versions     Platform    Priority Rating
	Availability

Acrobat DC    Continuous     2021.001.20155     Windows and macOS   1
	Release Notes

Acrobat Reader DC    Continuous     2021.001.20155    Windows and macOS
	1       Release Notes


	
Acrobat 2020    Classic 2020     2020.001.30025    Windows and macOS    
	1        Release Notes

Acrobat Reader 2020    Classic 2020    2020.001.30025    Windows and
macOS     1     Release Notes


Acrobat 2017    Classic 2017    2017.011.30196    Windows and macOS
	1      Release Notes

Acrobat Reader 2017     Classic 2017   2017.011.30196    Windows and
macOS       1       Release Notes


Vulnerability Details


Vulnerability Category 	Vulnerability Impact 	Severity 	CVE Number

Buffer overflow   Arbitrary code execution    Important   CVE-2021-28561
Heap-based Buffer Overflow   Arbitrary code execution   Critical
	                                                  CVE-2021-28560

Heap-based Buffer Overflow   Arbitrary code execution	Important
	                                                  CVE-2021-28558

Out-of-bounds Read           Memory leak       Critical   CVE-2021-28557
Out-of-bounds Read  Arbitrary file system read  Important CVE-2021-28555
Out-of-bounds Read  Arbitrary code execution  	Critical  CVE-2021-28565
Out-of-bounds Write  Arbitrary code execution	Critical  CVE-2021-28564
Out-of-bounds Write  Arbitrary code execution	Critical  CVE-2021-21044
                                                          CVE-2021-21038
                                                          CVE-2021-21086

Exposure of Private Information  Privilege escalation	Important
	                                                  CVE-2021-28559

Use After Free       Arbitrary code execution   Critical  CVE-2021-28562
                                                          CVE-2021-28550
                                                          CVE-2021-28553


Acknowledgements

Adobe would like to thank the following for reporting the
relevant issues and for working with Adobe to help protect our
customers.

    Anonymously reported (CVE-2021-28550)
    Aleksandar Nikolic of Cisco Talos. (CVE-2021-28562)
    Xu peng (xupeng_1231) (CVE-2021-28561)
    chutchut (CVE-2021-28559)
    fr0zenrain of Baidu Security (CVE-2021-28560)
    Haboob Labs (CVE-2021-28557, CVE-2021-28564, CVE-2021-28565,
CVE-2021-28553, , CVE-2021-28558, CVE-2021-28555)


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================