Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3092
Security bulletin for Adobe Acrobat and Reader | APSB19-41
14 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Acrobat and Reader
Publisher: Adobe
Operating System: Windows
OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-8106 CVE-2019-8105 CVE-2019-8104
CVE-2019-8103 CVE-2019-8102 CVE-2019-8101
CVE-2019-8100 CVE-2019-8099 CVE-2019-8098
CVE-2019-8097 CVE-2019-8096 CVE-2019-8095
CVE-2019-8094 CVE-2019-8077 CVE-2019-8061
CVE-2019-8060 CVE-2019-8059 CVE-2019-8058
CVE-2019-8057 CVE-2019-8056 CVE-2019-8055
CVE-2019-8054 CVE-2019-8053 CVE-2019-8052
CVE-2019-8051 CVE-2019-8050 CVE-2019-8049
CVE-2019-8048 CVE-2019-8047 CVE-2019-8046
CVE-2019-8045 CVE-2019-8044 CVE-2019-8043
CVE-2019-8042 CVE-2019-8041 CVE-2019-8040
CVE-2019-8039 CVE-2019-8038 CVE-2019-8037
CVE-2019-8036 CVE-2019-8035 CVE-2019-8034
CVE-2019-8033 CVE-2019-8032 CVE-2019-8031
CVE-2019-8030 CVE-2019-8029 CVE-2019-8028
CVE-2019-8027 CVE-2019-8026 CVE-2019-8025
CVE-2019-8024 CVE-2019-8023 CVE-2019-8022
CVE-2019-8021 CVE-2019-8020 CVE-2019-8019
CVE-2019-8018 CVE-2019-8017 CVE-2019-8016
CVE-2019-8015 CVE-2019-8014 CVE-2019-8013
CVE-2019-8012 CVE-2019-8011 CVE-2019-8010
CVE-2019-8009 CVE-2019-8008 CVE-2019-8007
CVE-2019-8006 CVE-2019-8005 CVE-2019-8004
CVE-2019-8003 CVE-2019-8002 CVE-2019-7965
CVE-2019-7832
Reference: ESB-2019.1721
Original Bulletin:
https://helpx.adobe.com/security/products/acrobat/apsb19-41.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Adobe Security Bulletin
Security bulletin for Adobe Acrobat and Reader | APSB19-41
+------------------------+---------------------------------+------------------+
| Bulletin ID | Date Published | Priority |
+------------------------+---------------------------------+------------------+
|APSB19-41 |August 13, 2019 |2 |
+------------------------+---------------------------------+------------------+
Summary
Adobe has released security updates for Adobe Acrobat and Reader for Windows
and macOS. These updates address important vulnerabilities. Successful
exploitation could lead to arbitrary code execution in the context of the
current user.
Affected Versions
These updates will address important vulnerabilities in the software. Adobe
will be assigning the following priority ratings to these updates:
+------------------+------------+------------------------------------+--------+
| Product | Track | Affected Versions |Platform|
+------------------+------------+------------------------------------+--------+
|Acrobat DC |Continuous |2019.012.20034 and earlier versions |macOS |
| | | | |
+------------------+------------+------------------------------------+--------+
|Acrobat DC |Continuous |2019.012.20035 and earlier versions |Windows |
+------------------+------------+------------------------------------+--------+
|Acrobat Reader DC |Continuous |2019.012.20034 and earlier versions |macOS |
| | | | |
+------------------+------------+------------------------------------+--------+
|Acrobat Reader DC |Continuous |2019.012.20035 and earlier versions |Windows |
+------------------+------------+------------------------------------+--------+
| | | | |
+------------------+------------+------------------------------------+--------+
|Acrobat DC |Classic 2017|2017.011.30142 and earlier |macOS |
| | |versions | |
+------------------+------------+------------------------------------+--------+
|Acrobat DC |Classic 2017|2017.011.30143 and earlier versions |Windows |
+------------------+------------+------------------------------------+--------+
|Acrobat Reader DC |Classic 2017|2017.011.30142 and earlier |macOS |
| | |versions | |
+------------------+------------+------------------------------------+--------+
|Acrobat Reader DC |Classic 2017|2017.011.30143 and earlier versions |Windows |
+------------------+------------+------------------------------------+--------+
| | | | |
+------------------+------------+------------------------------------+--------+
|Acrobat DC |Classic 2015|2015.006.30497 and earlier versions |macOS |
+------------------+------------+------------------------------------+--------+
|Acrobat DC |Classic 2015|2015.006.30498 and earlier versions |Windows |
+------------------+------------+------------------------------------+--------+
|Acrobat Reader DC |Classic 2015|2015.006.30497 and earlier versions |macOS |
+------------------+------------+------------------------------------+--------+
|Acrobat Reader DC |Classic 2015|2015.006.30498 and earlier versions |Windows |
+------------------+------------+------------------------------------+--------+
For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page.
For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC
FAQ page.
Solution
Adobe recommends users update their software installations to the latest
versions by following the instructions below.
The latest product versions are available to end users via one of the following
methods:
o Users can update their product installations manually by choosing Help >
Check for Updates.
o The products will update automatically, without requiring user
intervention, when updates are detected.
o The full Acrobat Reader installer can be downloaded from the Acrobat Reader
Download Center.
For IT administrators (managed environments):
o Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or
refer to the specific release note version for links to installers.
o Install updates via your preferred methodology, such as AIP-GPO,
bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and
SSH.
Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:
+---------------+----------+--------------+-----------+----------+------------+
| Product | Track | Updated | Platform | Priority |Availability|
| | | Versions | | Rating | |
+---------------+----------+--------------+-----------+----------+------------+
| | | |Windows and| |Windows |
|Acrobat DC |Continuous|2019.012.20036|macOS |2 | |
| | | | | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
| | | | | |Windows |
|Acrobat Reader |Continuous|2019.012.20036|Windows and|2 | |
|DC | | |macOS | | |
| | | | | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
| | | | | | |
+---------------+----------+--------------+-----------+----------+------------+
| |Classic | |Windows and| |Windows |
|Acrobat 2017 |2017 |2017.011.30144|macOS |2 | |
| | | | | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
|Acrobat Reader |Classic | |Windows and| |Windows |
|DC 2017 |2017 |2017.011.30144|macOS |2 | |
| | | | | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
| | | | | | |
+---------------+----------+--------------+-----------+----------+------------+
| |Classic | |Windows and| |Windows |
|Acrobat DC |2015 |2015.006.30499|macOS |2 | |
| | | | | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
|Acrobat Reader |Classic | |Windows and| |Windows |
|DC |2015 |2015.006.30499|macOS |2 | |
| | | | | |macOS |
+---------------+----------+--------------+-----------+----------+------------+
Vulnerability Details
+----------------------+----------------------+------------+------------------+
| Vulnerability | Vulnerability Impact | Severity | CVE Number |
| Category | | | |
+----------------------+----------------------+------------+------------------+
| | | |CVE-2019-8077 |
| | | | |
| | | |CVE-2019-8094 |
| | | | |
| | | |CVE-2019-8095 |
| | | | |
| | | |CVE-2019-8096 |
| | | | |
| | | |CVE-2019-8102 |
| | | | |
| | | |CVE-2019-8103 |
| | | | |
| | | |CVE-2019-8104 |
| | | | |
| | | |CVE-2019-8105 |
| | | | |
| | | |CVE-2019-8106 |
| | | | |
| | | |CVE-2019-8002 |
| | | | |
| | | |CVE-2019-8004 |
| |Information | | |
|Out-of-Bounds Read |Disclosure |Important |CVE-2019-8005 |
| | | | |
| | | |CVE-2019-8007 |
| | | | |
| | | |CVE-2019-8010 |
| | | | |
| | | |CVE-2019-8011 |
| | | | |
| | | |CVE-2019-8012 |
| | | | |
| | | |CVE-2019-8018 |
| | | | |
| | | |CVE-2019-8020 |
| | | | |
| | | |CVE-2019-8021 |
| | | | |
| | | |CVE-2019-8032 |
| | | | |
| | | |CVE-2019-8035 |
| | | | |
| | | |CVE-2019-8037 |
| | | | |
| | | |CVE-2019-8040 |
| | | | |
| | | |CVE-2019-8043 |
| | | | |
| | | |CVE-2019-8052 |
+----------------------+----------------------+------------+------------------+
| | | |CVE-2019-8098 |
| | | | |
| | | |CVE-2019-8100 |
| | | | |
| | | |CVE-2019-7965 |
| |Arbitrary Code | | |
|Out-of-Bounds Write |Execution |Important |CVE-2019-8008 |
| | | | |
| | | |CVE-2019-8009 |
| | | | |
| | | |CVE-2019-8016 |
| | | | |
| | | |CVE-2019-8022 |
| | | | |
| | | |CVE-2019-8023 |
| | | | |
| | | |CVE-2019-8027 |
+----------------------+----------------------+------------+------------------+
|Command Injection |Arbitrary Code |Important |CVE-2019-8060 |
| |Execution | | |
+----------------------+----------------------+------------+------------------+
| | | |CVE-2019-8003 |
| | | | |
| | | |CVE-2019-8013 |
| | | | |
| | | |CVE-2019-8024 |
| | | | |
| | | |CVE-2019-8025 |
| | | | |
| | | |CVE-2019-8026 |
| | | | |
| | | |CVE-2019-8028 |
| | | | |
| | | |CVE-2019-8029 |
| | | | |
| | | |CVE-2019-8030 |
| | | | |
| | | |CVE-2019-8031 |
| | | | |
| | | |CVE-2019-8033 |
| | | | |
| |Arbitrary Code | |CVE-2019-8034 |
|Use After Free |Execution |Important | |
| | | |CVE-2019-8036 |
| | | | |
| | | |CVE-2019-8038 |
| | | | |
| | | |CVE-2019-8039 |
| | | | |
| | | |CVE-2019-8047 |
| | | | |
| | | |CVE-2019-8051 |
| | | | |
| | | |CVE-2019-8053 |
| | | | |
| | | |CVE-2019-8054 |
| | | | |
| | | |CVE-2019-8055 |
| | | | |
| | | |CVE-2019-8056 |
| | | | |
| | | |CVE-2019-8057 |
| | | |CVE-2019-8058 |
| | | | |
| | | |CVE-2019-8059 |
| | | | |
| | | |CVE-2019-8061 |
| | | | |
+----------------------+----------------------+------------+------------------+
| | | |CVE-2019-7832 |
| | | | |
| | | |CVE-2019-8014 |
| | | | |
| |Arbitrary Code | |CVE-2019-8015 |
|Heap Overflow |Execution |Important | |
| | | |CVE-2019-8041 |
| | | | |
| | | |CVE-2019-8042 |
| | | | |
| | | |CVE-2019-8046 |
| | | | |
| | | |CVE-2019-8049 |
| | | | |
| | | |CVE-2019-8050 |
+----------------------+----------------------+------------+------------------+
|Buffer Error |Arbitrary Code | Important |CVE-2019-8048 |
| |Execution | | |
+----------------------+----------------------+------------+------------------+
|Double Free |Arbitrary Code |Important |CVE-2019-8044 |
| |Execution | | |
+----------------------+----------------------+------------+------------------+
| | | |CVE-2019-8099 |
|Integer Overflow |Information Disclosure|Important | |
| | | |CVE-2019-8101 |
+----------------------+----------------------+------------+------------------+
|Internal IP Disclosure| |Important |CVE-2019-8097 |
+----------------------+----------------------+------------+------------------+
|Type Confusion |Arbitrary Code |Important |CVE-2019-8019 |
| |Execution | | |
+----------------------+----------------------+------------+------------------+
|Untrusted Pointer |Arbitrary Code |Important |CVE-2019-8006 |
|Dereference |Execution | | |
| | | |CVE-2019-8017 |
| | | | |
| | | |CVE-2019-8045 |
| | | | |
+----------------------+----------------------+------------+------------------+
Acknowledgements
Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:
o Dhanesh Kizhakkinan of FireEye Inc. (CVE-2019-7832)
o Xu Peng and Su Purui from TCA/SKLCS Institute of Software Chinese Academy
of Sciences and Codesafe Team of Legendsec at Qi'anxin Group
(CVE-2019-8029, CVE-2019-8030, CVE-2019-8031)
o (A.K.) Karim Zidani, Independent Security Researcher ; https://imAK.xyz/
(CVE-2019-8097)
o Anonymous working with Trend Micro Zero Day Initiative
(CVE-2019-8033, CVE-2019-8037)
o BUGFENSE Anonymous Bug Bounties https://bugfense.io (CVE-2019-8015)
o Haikuo Xie of Baidu Security Lab working with Trend Micro Zero Day
Initiative (CVE-2019-8035)
o Wei Lei of STAR Labs (CVE-2019-8009, CVE-2019-8018, CVE-2019-8010,
CVE-2019-8011)
o Li Qi(@leeqwind) & Wang Lei(@CubestoneW) & Liao Bangjie(@b1acktrac3) of
Qihoo360 CoreSecurity(@360CoreSec) (CVE-2019-8012)
o Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-8094, CVE-2019-8095,
CVE-2019-8096, CVE-2019-8004, CVE-2019-8005, CVE-2019-8006, CVE-2019-8077,
CVE-2019-8003, CVE-2019-8020, CVE-2019-8021, CVE-2019-8022, CVE-2019-8023)
o Haikuo Xie of Baidu Security Lab (CVE-2019-8032, CVE-2019-8036)
o ktkitty (https://ktkitty.github.io) working with Trend Micro Zero
Day Initiative (CVE-2019-8014)
o Mat Powell of Trend Micro Zero Day Initiative
(CVE-2019-8008, CVE-2019-8051, CVE-2019-8053, CVE-2019-8054, CVE-2019-8056,
CVE-2019-8057, CVE-2019-8058, CVE-2019-8059)
o Mateusz Jurczyk of Google Project Zero (CVE-2019-8041, CVE-2019-8042,
CVE-2019-8043, CVE-2019-8044, CVE-2019-8045, CVE-2019-8046, CVE-2019-8047,
CVE-2019-8048, CVE-2019-8049, CVE-2019-8050)
o Michael Bourque (CVE-2019-8007)
o peternguyen working with Trend Micro Zero Day Initiative
(CVE-2019-8013, CVE-2019-8034)
o Simon Zuckerbraun of Trend Micro Zero Day Initiative (CVE-2019-8027)
o Steven Seeley of Trend Micro Zero Day Initiative (CVE-2019-8019)
o Steven Seeley (mr_me) of Source Incite working with iDefense Labs(https://
vcp.idefense.com/) (CVE-2019-8098, CVE-2019-8099, CVE-2019-8100,
CVE-2019-8101, CVE-2019-8102, CVE-2019-8103, CVE-2019-8104, CVE-2019-8106,
CVE-2019-7965, CVE-2019-8105)
o willJ working with Trend Micro Zero Day Initiative
(CVE-2019-8040, CVE-2019-8052)
o Esteban Ruiz (mr_me) of Source Incite working with iDefense Labs(https://
vcp.idefense.com/) (CVE-2019-8002)
o Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team
(CVE-2019-8024, CVE-2019-8061, CVE-2019-8055)
o Zhaoyan Xu, Hui Gao of Palo Alto Networks (CVE-2019-8026, CVE-2019-8028)
o Lexuan Sun, Hao Cai of Palo Alto Networks (CVE-2019-8025)
o Bit of STARLabs working with Trend Micro Zero Day Initiative
(CVE-2019-8038, CVE-2019-8039)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVNVHGaOgq3Tt24GAQhSCxAAoQMsYYFEFc+MvSDiHzAUclkD6/Ura9Y8
HJ61z3SFtaxNE46GS4lJH1oiH8H3Re9LLZFdQ5MhymWQCBRMm2wP5iWURCzEN8O0
W4tYcDrHU/dWsfX6LdK1mxG/dJX/kBwHaA8tpjbHTdrVIKGKyylBLwD8qdokEb/H
iVXPndXQ/Cobx6gy7StthxOXg/PVFuhxXlLtPQ9FO0JUqSudvy9l+8ehkocz1vY7
g29dn6lKYQx28+kX2XtYT6H7NUlnCIoTyhaS4lpMvwoiTOh8cyJ86hdrk0IanASz
Ncm//haAGUVk30WwI/UKbuKnO2CX83wG079c1gazrmnxCmrRArLk0APKTgwTAGPm
a+crsFvvcTlioRgK2x5BZ2k7turJgAVJ7aTPXgul+FaO4a+PU1XZ1KqphWCjo/EA
A2UB4OLPVDrprHUfEjtzbNxk6wxLpT6kCR5fV6fnyjJlsDHJWXRHEiVeHG8Xicgy
lYgxcqYOuJ+O7hrtgQhO4NQ7oUFSJao24/ngaIHWY2UVOOgmZFGStBzDT3yP+4vd
UwPvIWGdpbpeR2LC1WG2BRVkDbDC12Ui28ycz/+APhmi0DjK8T87rX1Cz4XM/Dzc
W7LqxWOUjk9vWy/DJSXGGODRRQD/OZuhQkn3BIeqZzxt+dDNM+qTRlxZu1yQsoiV
iUaJq/E5+os=
=00lZ
-----END PGP SIGNATURE-----