Headline
CVE-2019-8038: Adobe Security Bulletin
Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
Security bulletin for Adobe Acrobat and Reader | APSB19-41
Bulletin ID
Date Published
Priority
APSB19-41
August 13, 2019
2
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.
These updates will address important vulnerabilities in the software. Adobe will be assigning the following priority ratings to these updates:
Adobe recommends users update their software installations to the latest versions by following the instructions below.
The latest product versions are available to end users via one of the following methods:
Users can update their product installations manually by choosing Help > Check for Updates.
The products will update automatically, without requiring user intervention, when updates are detected.
The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.
For IT administrators (managed environments):
Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.
Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Vulnerability Category
Vulnerability Impact
Severity
CVE Number
Out-of-Bounds Read
Information Disclosure
Important
CVE-2019-8077
CVE-2019-8094
CVE-2019-8095
CVE-2019-8096
CVE-2019-8102
CVE-2019-8103
CVE-2019-8104
CVE-2019-8105
CVE-2019-8106
CVE-2019-8002
CVE-2019-8004
CVE-2019-8005
CVE-2019-8007
CVE-2019-8010
CVE-2019-8011
CVE-2019-8012
CVE-2019-8018
CVE-2019-8020
CVE-2019-8021
CVE-2019-8032
CVE-2019-8035
CVE-2019-8037
CVE-2019-8040
CVE-2019-8043
CVE-2019-8052
Out-of-Bounds Write
Arbitrary Code Execution
Important
CVE-2019-8098
CVE-2019-8100
CVE-2019-7965
CVE-2019-8008
CVE-2019-8009
CVE-2019-8016
CVE-2019-8022
CVE-2019-8023
CVE-2019-8027
Command Injection
Arbitrary Code Execution
Important
CVE-2019-8060
Use After Free
Arbitrary Code Execution
Important
CVE-2019-8003
CVE-2019-8013
CVE-2019-8024
CVE-2019-8025
CVE-2019-8026
CVE-2019-8028
CVE-2019-8029
CVE-2019-8030
CVE-2019-8031
CVE-2019-8033
CVE-2019-8034
CVE-2019-8036
CVE-2019-8038
CVE-2019-8039
CVE-2019-8047
CVE-2019-8051
CVE-2019-8053
CVE-2019-8054
CVE-2019-8055
CVE-2019-8056
CVE-2019-8057
CVE-2019-8058
CVE-2019-8059
CVE-2019-8061
CVE-2019-8257
Heap Overflow
Arbitrary Code Execution
Important
CVE-2019-8066
CVE-2019-8014
CVE-2019-8015
CVE-2019-8041
CVE-2019-8042
CVE-2019-8046
CVE-2019-8049
CVE-2019-8050
Buffer Error
Arbitrary Code Execution
Important
CVE-2019-8048
Double Free
Arbitrary Code Execution
Important
CVE-2019-8044
Integer Overflow
Information Disclosure
Important
CVE-2019-8099
CVE-2019-8101
Internal IP Disclosure
Information Disclosure
Important
CVE-2019-8097
Type Confusion
Arbitrary Code Execution
Important
CVE-2019-8019
CVE-2019-8249
CVE-2019-8250
Untrusted Pointer Dereference
Arbitrary Code Execution
Important
CVE-2019-8006
CVE-2019-8017
CVE-2019-8045
Insufficiently Robust Encryption
Security feature bypass
Critical
CVE-2019-8237
Type Confusion
Information Disclosure
Important
CVE-2019-8251
CVE-2019-8252
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
- Dhanesh Kizhakkinan of FireEye Inc. (CVE-2019-8066)
- Xu Peng and Su Purui from TCA/SKLCS Institute of Software Chinese Academy of Sciences and Codesafe Team of Legendsec at Qi’anxin Group (CVE-2019-8029, CVE-2019-8030, CVE-2019-8031)
- (A.K.) Karim Zidani, Independent Security Researcher ; https://imAK.xyz/ (CVE-2019-8097)
- Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-8033, CVE-2019-8037)
- BUGFENSE Anonymous Bug Bounties https://bugfense.io (CVE-2019-8015)
- Haikuo Xie of Baidu Security Lab working with Trend Micro Zero Day Initiative (CVE-2019-8035, CVE-2019-8257)
- Wei Lei of STAR Labs (CVE-2019-8009, CVE-2019-8018, CVE-2019-8010, CVE-2019-8011)
- Li Qi(@leeqwind) & Wang Lei(@CubestoneW) & Liao Bangjie(@b1acktrac3) of Qihoo360 CoreSecurity(@360CoreSec) (CVE-2019-8012)
- Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-8094, CVE-2019-8095, CVE-2019-8096, CVE-2019-8004, CVE-2019-8005, CVE-2019-8006, CVE-2019-8077, CVE-2019-8003, CVE-2019-8020, CVE-2019-8021, CVE-2019-8022, CVE-2019-8023)
- Haikuo Xie of Baidu Security Lab (CVE-2019-8032, CVE-2019-8036)
- ktkitty (https://ktkitty.github.io) working with Trend Micro Zero Day Initiative (CVE-2019-8014)
- Mat Powell of Trend Micro Zero Day Initiative (CVE-2019-8008, CVE-2019-8051, CVE-2019-8053, CVE-2019-8054, CVE-2019-8056, CVE-2019-8057, CVE-2019-8058, CVE-2019-8059)
- Mateusz Jurczyk of Google Project Zero (CVE-2019-8041, CVE-2019-8042, CVE-2019-8043, CVE-2019-8044, CVE-2019-8045, CVE-2019-8046, CVE-2019-8047, CVE-2019-8048, CVE-2019-8049, CVE-2019-8050, CVE-2019-8016, CVE-2019-8017)
- Michael Bourque (CVE-2019-8007)
- peternguyen working with Trend Micro Zero Day Initiative (CVE-2019-8013, CVE-2019-8034)
- Simon Zuckerbraun of Trend Micro Zero Day Initiative (CVE-2019-8027)
- Steven Seeley (mr_me) of Source Incite working with Trend Micro Zero Day Initiative (CVE-2019-8019)
- Steven Seeley (mr_me) of Source Incite working with iDefense Labs(https://vcp.idefense.com/) (CVE-2019-8098, CVE-2019-8099, CVE-2019-8100, CVE-2019-8101, CVE-2019-8102, CVE-2019-8103, CVE-2019-8104, CVE-2019-8106, CVE-2019-7965, CVE-2019-8105)
- willJ working with Trend Micro Zero Day Initiative (CVE-2019-8040, CVE-2019-8052)
- Esteban Ruiz (mr_me) of Source Incite working with iDefense Labs(https://vcp.idefense.com/) (CVE-2019-8002)
- Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-8024, CVE-2019-8061, CVE-2019-8055)
- Zhaoyan Xu, Hui Gao of Palo Alto Networks (CVE-2019-8026, CVE-2019-8028)
- Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-8025)
- Bit of STARLabs working with Trend Micro Zero Day Initiative (CVE-2019-8038, CVE-2019-8039)
- Zhongcheng Li (CK01) of Topsec Alpha Team (CVE-2019-8060)
- Jens Müller (CVE-2019-8237)
- Steven Seeley (mr_me) of Source Incite (CVE-2019-8249, CVE-2019-8250, CVE-2019-8251, CVE-2019-8252)
August 14, 2019: Added acknowledgement for CVE-2019-8016 & CVE-2019-8017.
August 22, 2019: Updated CVE id from CVE-2019-7832 to CVE-2019-8066.
September 26, 2019: Added acknowledgement for CVE-2019-8060.
October 23, 2019: Inlcuded details about CVE-2019-8237.
November 19, 2019: Included details about CVE-2019-8249, CVE-2019-8250, CVE-2019-8251, CVE-2019-8252
December 10, 2019: Inlcuded details about CVE-2019-8257.