Adobe Security Bulletin

Security Updates Available for Adobe Framemaker | APSB21-74

Bulletin ID

Date Published

Priority

APSB21-74

September 14, 2021    

3

Summary

Adobe has released a security update for Adobe Framemaker. This update addresses one moderate, one important and multiple critical vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.              

Affected Versions

Product

Version

Platform

Adobe Framemaker

2019 Update 8 and earlier

Windows

Adobe Framemaker

2020 Release Update 2 and earlier    

Windows

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product

Version

Platform

Priority

Availability

Adobe Framemaker

2019 Release Update 8
(hotfix)

Windows

3

Adobe Framemaker

2020 Release Update 3

Windows

3

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

CVSS base score 

CVE Numbers

Use After Free

(CWE-416)

Arbitrary file system read

Important

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-39835

Out-of-bounds Read

(CWE-125)

Arbitrary file system read

Moderate

3.3

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-40697

Out-of-bounds Read

(CWE-125)

Arbitrary file system read

Important

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-39833

CVE-2021-39834

Access of Memory Location After End of Buffer

(CWE-788)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-39832

Access of Memory Location After End of Buffer

(CWE-788)

Arbitrary code execution

Critical

8.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-39830

Out-of-bounds Write

(CWE-787)

Arbitrary code execution

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2021-39829

CVE-2021-39831

Out-of-bounds Read

(CWE-125)

Privilege escalation

Important

4.0

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE-2021-39862

CVE-2021-39865

Acknowledgments

Adobe would like to thank the following Initiative for reporting the relevant issues and for working with Adobe to help protect our customers:

  • Tran Van Khang - khangkito (VinCSS) working with Trend Micro Zero Day (CVE-2021-39829, CVE-2021-39830, CVE-2021-39831)
  • Mat Powell of Trend Micro Zero Day Initiative (CVE-2021-39832, CVE-2021-39833, CVE-2021-39834, CVE-2021-39835, CVE-2021-40697, CVE-2021-39862, CVE-2021-39865)

Revisions

January 05, 2022: Tech Note linked to proper page

September 22, 2021: Included details for CVE-2021-39862 and CVE-2021-39865.


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

Get help faster and easier

New user?