Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21017: Adobe Security Bulletin

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE
#vulnerability#mac#windows#apple#google#dos#buffer_overflow#auth#ssh#zero_day

Security update available for Adobe Acrobat and Reader | APSB21-09

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Adobe has received a report that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.

Adobe recommends users update their software installations to the latest versions by following the instructions below.

The latest product versions are available to end users via one of the following methods:

  • Users can update their product installations manually by choosing Help > Check for Updates.

  • The products will update automatically, without requiring user intervention, when updates are detected.

  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

For IT administrators (managed environments):

  • Refer to the specific release note version for links to installers.

  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Vulnerability Category

Vulnerability Impact

Severity

CVE Number

Buffer overflow

Application denial-of-service

Important

CVE-2021-21046

Heap-based Buffer Overflow

Arbitrary code execution

Critical

CVE-2021-21017

Path Traversal

Arbitrary code execution

Critical

CVE-2021-21037

Integer Overflow

Arbitrary code execution

Critical

CVE-2021-21036

Improper Access Control

Privilege escalation

Critical

CVE-2021-21045

Out-of-bounds Read

Privilege escalation

Important

CVE-2021-21042

CVE-2021-21034

CVE-2021-21089

CVE-2021-40723

Use-after-free

Information Disclosure

Important

CVE-2021-21061

Out-of-bounds Write

Arbitrary code execution

Critical

CVE-2021-21044

CVE-2021-21038

CVE-2021-21086

Buffer overflow

Arbitrary code execution

Critical

CVE-2021-21058

CVE-2021-21059

CVE-2021-21062

CVE-2021-21063

NULL Pointer Dereference

Information Disclosure

Important

CVE-2021-21057

Improper Input Validation

Information Disclosure

Important

CVE-2021-21060

Use After Free

Arbitrary code execution

Critical

CVE-2021-21041

CVE-2021-21040

CVE-2021-21039

CVE-2021-21035

CVE-2021-21033

CVE-2021-21028

CVE-2021-21021

CVE-2021-21088

Missing Support for Integrity Check

Security feature bypass

Important

CVE-2021-28545

CVE-2021-28546

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers.

  • Anonymously reported (CVE-2021-21017)
  • Nipun Gupta, Ashfaq Ansari, and Krishnakant Patil - CloudFuzz (CVE-2021-21041)
  • Mark Vincent Yason (@MarkYason) working with Trend Micro Zero Day Initiative (CVE-2021-21042, CVE-2021-21034, CVE-2021-21089)
  • Xu Peng from UCAS and Wang Yanhao from QiAnXin Technology Research Institute working with Trend Micro Zero Day Initiative (CVE-2021-21035, CVE-2021-21033, CVE-2021-21028, CVE-2021-21021)
  • AIOFuzzer working with Trend Micro Zero Day Initiative (CVE-2021-21044, CVE-2021-21061, CVE-2021-21088)
  • 360CDSRC in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21037)
  • Will Dormann of CERT/CC (CVE-2021-21045)
  • Xuwei Liu (shellway) (CVE-2021-21046)
  • 胖 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21040)
  • 360政企安全漏洞研究院 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21039)
  • 蚂蚁安全光年实验室基础研究小组 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21038)
  • CodeMaster in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21036)
  • Xinyu Wan (wxyxsx) (CVE-2021-21057)
  • Haboob Labs (CVE-2021-21060)
  • Ken Hsu of Palo Alto Networks (CVE-2021-21058)
  • Ken Hsu of Palo Alto Networks, Heige (a.k.a. SuperHei) of Knwonsec 404 Team (CVE-2021-21059)
  • Ken Hsu, Bo Qu of Palo Alto Networks (CVE-2021-21062)
  • Ken Hsu, Zhibin Zhang of Palo Alto Networks (CVE-2021-21063)
  • Mateusz Jurczyk from Google Project Zero (CVE-2021-21086)
  • Simon Rohlmann, Vladislav Mladenov, Christian Mainka and Jörg Schwenk Chair for Network and Data Security, Ruhr University Bochum (CVE-2021-28545, CVE-2021-28546)

February 10, 2021: Updated acknowledgements for CVE-2021-21058, CVE-2021-21059, CVE-2021-21062, CVE-2021-21063.

March 10, 2021: Updated acknowledgement for CVE-2021-21035, CVE-2021-21033, CVE-2021-21028, CVE-2021-21021

March 17, 2021: Added details for CVE-2021-21086, CVE-2021-21088 and CVE-2021-21089.

March 26, 2021: Added details for CVE-2021-28545 and CVE-2021-28546.

September 29, 2021: Added details for CVE-2021-40723

Related news

CVE-2021-28561: Adobe Security Bulletin

Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2021-28561: Adobe Security Bulletin

Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907