Headline
CVE-2021-28561: Adobe Security Bulletin
Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Security update available for Adobe Acrobat and Reader | APSB21-29
Bulletin ID
Date Published
Priority
APSB21-29
May 11, 2021
1
Summary
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Adobe has received a report that CVE-2021-28550 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.
Affected Versions
Product
Track
Affected Versions
Platform
Acrobat DC
Continuous
2021.001.20150 and earlier versions
Windows
Acrobat Reader DC
Continuous
2021.001.20150 and earlier versions
Windows
Acrobat DC
Continuous
2021.001.20149 and earlier
versions
macOS
Acrobat Reader DC
Continuous
2021.001.20149 and earlier
versions
macOS
Acrobat 2020
Classic 2020
2020.001.30020 and earlier versions
Windows & macOS
Acrobat Reader 2020
Classic 2020
2020.001.30020 and earlier versions
Windows & macOS
Acrobat 2017
Classic 2017
2017.011.30194 and earlier versions
Windows & macOS
Acrobat Reader 2017
Classic 2017
2017.011.30194 and earlier versions
Windows & macOS
Solution
Adobe recommends users update their software installations to the latest versions by following the instructions below.
The latest product versions are available to end users via one of the following methods:
Users can update their product installations manually by choosing Help > Check for Updates.
The products will update automatically, without requiring user intervention, when updates are detected.
The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.
For IT administrators (managed environments):
Refer to the specific release note version for links to installers.
Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Product
Track
Updated Versions
Platform
Priority Rating
Availability
Acrobat DC
Continuous
2021.001.20155
Windows and macOS
1
Release Notes
Acrobat Reader DC
Continuous
2021.001.20155
Windows and macOS
1
Release Notes
Acrobat 2020
Classic 2020
2020.001.30025
Windows and macOS
1
Release Notes
Acrobat Reader 2020
Classic 2020
2020.001.30025
Windows and macOS
1
Release Notes
Acrobat 2017
Classic 2017
2017.011.30196
Windows and macOS
1
Release Notes
Acrobat Reader 2017
Classic 2017
2017.011.30196
Windows and macOS
1
Release Notes
Vulnerability Details
Vulnerability Category
Vulnerability Impact
Severity
CVE Number
Out-of-bounds Write
Arbitrary code execution
Important
CVE-2021-28561
Heap-based Buffer Overflow
Arbitrary code execution
Critical
CVE-2021-28560
Heap-based Buffer Overflow
Arbitrary code execution
Important
CVE-2021-28558
Out-of-bounds Read
Memory leak
Critical
CVE-2021-28557
Out-of-bounds Read
Arbitrary file system read
Important
CVE-2021-28555
Out-of-bounds Read
Arbitrary code execution
Critical
CVE-2021-28565
Out-of-bounds Write
Arbitrary code execution
Critical
CVE-2021-28564
Out-of-bounds Write
Arbitrary code execution
Critical
CVE-2021-21044
CVE-2021-21038
Exposure of Private Information
Privilege escalation
Important
CVE-2021-28559
Use After Free
Arbitrary code execution
Critical
CVE-2021-28562
CVE-2021-28550
CVE-2021-28553
Acknowledgements
Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers.
- Anonymously reported (CVE-2021-28550)
- Aleksandar Nikolic of Cisco Talos. (CVE-2021-28562)
- Xu peng (xupeng_1231) (CVE-2021-28561)
- chutchut (CVE-2021-28559)
- fr0zenrain of Baidu Security (CVE-2021-28560)
- Haboob Labs (CVE-2021-28557, CVE-2021-28564, CVE-2021-28565, CVE-2021-28553, , CVE-2021-28558, CVE-2021-28555)
Related news
A cyber mercenary that "ostensibly sells general security and information analysis services to commercial customers" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities. The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called DSIRF that's linked to the
Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.