Adobe Security Bulletin

Security update available  for Adobe Acrobat and Reader | APSB21-51

Bulletin ID

Date Published

Priority

APSB21-51

July 13, 2021

2

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

 

Affected Versions

Product

Track

Affected Versions

Platform

Acrobat DC 

Continuous 

2021.005.20054 and earlier versions          

Windows and macOS

Acrobat Reader DC

Continuous 

2021.005.20054 and earlier versions          

Windows and macOS

 

 

 

 

Acrobat 2020

Classic 2020           

2020.004.30005 and earlier versions

Windows & macOS

Acrobat Reader 2020

Classic 2020           

2020.004.30005 and earlier versions

Windows & macOS

 

 

 

 

Acrobat 2017

Classic 2017

2017.011.30197  and earlier versions          

Windows & macOS

Acrobat Reader 2017

Classic 2017

2017.011.30197  and earlier versions          

Windows & macOS

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

  • Users can update their product installations manually by choosing Help > Check for Updates.     

  • The products will update automatically, without requiring user intervention, when updates are detected.      

  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     

For IT administrators (managed environments):     

  • Refer to the specific release note version for links to installers.     

  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     

   

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product

Track

Updated Versions

Platform

Priority Rating

Availability

Acrobat DC

Continuous

2021.005.20058       

Windows and macOS

2

Acrobat Reader DC

Continuous

2021.005.20058  

Windows and macOS

2

Release Notes     

 

 

 

 

 

 

Acrobat 2020

Classic 2020           

2020.004.30006 

Windows and macOS     

2

Acrobat Reader 2020

Classic 2020           

2020.004.30006 

Windows and macOS     

2

 

 

 

 

 

 

Acrobat 2017

Classic 2017

2017.011.30199 

Windows and macOS

2

Acrobat Reader 2017

Classic 2017

2017.011.30199  

Windows and macOS

2

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVSS base score 
CVSS vector
CVE Number

Out-of-bounds Read 

(CWE-125

Memory leak Important
3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-35988

CVE-2021-35987

Path Traversal

(CWE-22)

Arbitrary code execution
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-35980

CVE-2021-28644

Use After Free

(CWE-416)

Arbitrary code execution 
Critical
7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2021-28640

Type Confusion

(CWE-843)

Arbitrary code execution 
Critical
7.8 
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28643

Use After Free

(CWE-416)

Arbitrary code execution 
Critical
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-28641

CVE-2021-28639

Out-of-bounds Write

(CWE-787)

Arbitrary file system write
Critical
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-28642

Out-of-bounds Read

(CWE-125)

Memory leak
Critical
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28637

Type Confusion

(CWE-843)

Arbitrary file system read
Important
4.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE-2021-35986

Heap-based Buffer Overflow

(CWE-122)

Arbitrary code execution 
Critical
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-28638

NULL Pointer Dereference

(CWE-476)

Application denial-of-service
Important
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2021-35985

CVE-2021-35984

Uncontrolled Search Path Element

(CWE-427)

Arbitrary code execution 
Critical
7.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2021-28636

OS Command Injection

(CWE-78)

Arbitrary code execution 
Critical
8.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVE-2021-28634

Use After Free 

(CWE-416)

Arbitrary code execution 
Critical
7.8 
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 

CVE-2021-35983

CVE-2021-35981

CVE-2021-28635

Acknowledgements

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:   

  • Nipun Gupta , Ashfaq Ansari and Krishnakant Patil - CloudFuzz working with Trend Micro Zero Day Initiative (CVE-2021-35983) 
  • Xu Peng from UCAS and Wang Yanhao from QiAnXin Technology Research Institute working with Trend Micro Zero Day Initiative (CVE-2021-35981, CVE-2021-28638)
  • Habooblabs (CVE-2021-35980, CVE-2021-28644, CVE-2021-35988, CVE-2021-35987, CVE-2021-28642, CVE-2021-28641, CVE-2021-35985, CVE-2021-35984, CVE-2021-28637)
  • Anonymous working with Trend Micro Zero Day Initiative (CVE-2021-28643, CVE-2021-35986)
  • o0xmuhe (CVE-2021-28640)
  • Kc Udonsi (@glitchnsec) of Trend Micro Security Research working with Trend Micro Zero Day Initiative (CVE-2021-28639)
  • Noah (howsubtle) (CVE-2021-28634)
  • xu peng (xupeng_1231) (CVE-2021-28635)
  • Xavier Invers Fornells (m4gn3t1k) (CVE-2021-28636)

Revisions

July 14, 2021: Updated acknowledgement details for CVE-2021-28640.

July 15, 2021: Updated acknowledgement details for CVE-2021-35981.

July 29, 2021: Updated the CVSS base score and the CVSS vector for CVE-2021-28640, CVE-2021-28637, CVE-2021-28636.
July 29, 2021: Updated the Vulnerability Impact, Severity, CVSS base score and the CVSS vector for CVE-2021-35988, CVE-2021-35987, CVE-2021-35987, CVE-2021-28644



 

 


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Get help faster and easier

New user?