=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN374
_____________________________________________________________________

DATE                : 22/07/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Adobe Illustrator versions prior to
                                          25.2.3.

=====================================================================
https://helpx.adobe.com/security/products/illustrator/apsb21-42.html
_____________________________________________________________________


Security Updates Available for Adobe Illustrator | APSB21-42

Bulletin ID         Date Published         Priority
ASPB21-42           July 13, 2021          3


Summary

Adobe has released an update for Adobe Illustrator 2021. This update
resolves  multiple  critical  and important vulnerabilities that could
lead to arbitrary code execution in the context of current
user.         


Affected Versions

Product               Version                         Platform

Illustrator 2021      25.2.3  and earlier versions    Windows


Solution

Adobe categorizes these updates with the following  priority ratings 
and recommends users update their installation to the newest version via
the Creative Cloud desktop app's update mechanism.  For more
information, please reference this help page.


Product          Version     Platform        Priority       Availability
Illustrator 2021    25.3    Windows and macOS   3    Download Page



Vulnerability details

Vulnerability Category    Vulnerability Impact  Severity   CVSS base
score    CVSS vector    CVE Numbers

Use After Free (CWE-416)   Arbitrary file system read   Important    3.3
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N   CVE-2021-28593
CVE-2021-36008

Out-of-bounds write (CWE-787)   Arbitrary code execution   Critical  7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H    CVE-2021-28591
CVE-2021-28592

Out-of-bounds Read (CWE-125)   Arbitrary file system read  Important 
3.3      CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N    CVE-2021-36010

Access of Memory Location After End of Buffer (CWE-788)
Arbitrary code execution   Critical  7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H   CVE-2021-36009

OS Command Injection (CWE-78)   Arbitrary code execution   Critical
8.3   CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H    CVE-2021-36011



Acknowledgments

Adobe would like to thank the following researchers for
reporting these issues and for working with Adobe to help protect our
customers:  

    Mat Powell (@mrpowell) & Joshua Smith (@kernelsmith) of Trend Micro
Zero Day Initiative (CVE-2021-28591, CVE-2021-28592, CVE-2021-28593)
    Mat Powell of Trend Micro Zero Day Initiative (CVE-2021-36010,
CVE-2021-36009, CVE-2021-36008) 
    Taylor Leach of Apple (CVE-2021-36011)


Revisions

July 19, 2021: Inlcuded details about CVE-2021-36010, CVE-2021-36009,
CVE-2021-36008.

July 20, 2021: Included details about CVE-2021-36011

For more information, visit https://helpx.adobe.com/security.html , or
email PSIRT@adobe.com



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================