Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.0138
APSB23-01 : Security update available for Adobe Acrobat and Reader
11 January 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Acrobat and Reader
Publisher: Adobe
Operating System: Windows
macOS
Resolution: Patch/Upgrade
CVE Names: CVE-2023-21614 CVE-2023-21613 CVE-2023-21612
CVE-2023-21611 CVE-2023-21610 CVE-2023-21609
CVE-2023-21608 CVE-2023-21607 CVE-2023-21606
CVE-2023-21605 CVE-2023-21604 CVE-2023-21586
CVE-2023-21585 CVE-2023-21581 CVE-2023-21579
CVE-2022-38437
Original Bulletin:
https://helpx.adobe.com/security/products/acrobat/apsb23-01.html
Comment: CVSS (Max): 7.8 CVE-2023-21610 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVSS Source: Adobe
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update available for Adobe Acrobat and Reader | APSB23-01
Bulletin ID Date Published Priority
APSB23-01 January 10, 2023 3
Summary
Adobe has released security updates for Adobe Acrobat and Reader for Windows
and macOS. These updates address critical and important vulnerabilities.
Successful exploitation could lead to application denial-of-service, arbitrary
code execution, privilege escalation and memory leak.
Affected Versions
Product Track Affected Versions Platform
Acrobat DC Continuous 22.003.20282 (Win), 22.003.20281 (Mac) and Windows &
earlier versions macOS
Acrobat Continuous 22.003.20282 (Win), 22.003.20281 (Mac) and Windows &
Reader DC earlier versions macOS
Acrobat 2020 Classic 20.005.30418 and earlier versions Windows &
2020 macOS
Acrobat Classic 20.005.30418 and earlier versions Windows &
Reader 2020 2020 macOS
For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page .
For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC
FAQ page .
Solution
Adobe recommends users update their software installations to the latest
versions by following the instructions below.
The latest product versions are available to end users via one of the following
methods:
o Users can update their product installations manually by choosing Help >
Check for Updates.
o The products will update automatically, without requiring user
intervention, when updates are detected.
o The full Acrobat Reader installer can be downloaded from the Acrobat Reader
Download Center .
For IT administrators (managed environments):
o Refer to the specific release note version for links to installers.
o Install updates via your preferred methodology, such as AIP-GPO,
bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and
SSH.
Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:
Product Track Updated Platform Priority Availability
Versions Rating
Acrobat DC Continuous 22.003.20310 Windows and 3 Release
macOS Notes
Acrobat Reader Continuous 22.003.20310 Windows and 3 Release
DC macOS Notes
Acrobat 2020 Classic 20.005.30436 Windows and 3 Release
2020 macOS Notes
Acrobat Reader Classic 20.005.30436 Windows and 3 Release
2020 2020 macOS Notes
Vulnerability Details
Vulnerability Category Vulnerability Impact Severity CVSS base CVSS vector CVE Number
score
Integer Overflow or Wraparound ( CWE-190 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21579
Out-of-bounds Read ( CWE-125 ) Memory Leak Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2023-21581
Out-of-bounds Read ( CWE-125 ) Memory Leak Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2023-21585
NULL Pointer Dereference ( CWE-476 ) Application Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-21586
denial-of-service
Stack-based Buffer Overflow ( CWE-121 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21604
Heap-based Buffer Overflow ( CWE-122 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21605
Out-of-bounds Write ( CWE-787 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21606
Improper Input Validation ( CWE-20 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21607
Use After Free ( CWE-416 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21608
Out-of-bounds Write ( CWE-787 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21609
Stack-based Buffer Overflow ( CWE-121 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2023-21610
Violation of Secure Design Principles ( Privilege escalation Important 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H CVE-2023-21611
CWE-657 )
Violation of Secure Design Principles ( Privilege escalation Important 5.6 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N CVE-2023-21612
CWE-657 )
Out-of-bounds Read ( CWE-125 ) Memory leak Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2023-21613
Out-of-bounds Read ( CWE-125 ) Memory leak Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21614
Acknowledgements
Adobe would like to thank the following for reporting these issues and for
working with Adobe to help protect our customers:
o 0x1byte working with Trend Micro Zero Day Initiative - CVE-2023-21579,
CVE-2023-21581, CVE-2023-21605
o Koh M. Nakagawa (Ko Kato) (tsunekoh) - CVE-2023-21611, CVE-2023-21612
o Mat Powell with Trend Micro Zero Day Initiative - CVE-2023-21585,
CVE-2023-21606, CVE-2023-21607, CVE-2023-21613, CVE-2023-21614
o KMFL (kmfl) - CVE-2023-21586
o Anonymous working with Trend Micro Zero Day Initiative - CVE-2023-21609
o Vancir (vancir) - CVE-2023-21610
o Ashfaq Ansari and Krishnakant Patil - HackSys Inc working with Trend Micro
Zero Day Initiative- CVE-2023-21608
Revisions:
November 7, 2022: Revised acknowledgement for CVE-2022-38437
For more information, visit https://helpx.adobe.com/security.html , or email
PSIRT@adobe.com.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY74RdckNZI30y1K9AQi2xBAAljy+tYsnHnc8bn7YWnI6wgfJoVmB8I6X
0jHLWHJzs5bL9C8LKAMj1ITkj2lRUOkaFzR4SYAfSDFnOdujVBWaBUpBFBq7gnuo
zBgaUgyWhJPDi6nENhCzjQTHNqsVkqlv1OPuN8U46Ojxhtomjpo8NQChchuptPzz
Ma+QZwxKwx5eiax/l1lbgmgw7/zRs9vST8aww2JGV84pGAAUCxdFxl0inXIMYbld
zb6Ix/j513cQ4KIWWdY1phn5piUllPyGPPgSmCOH3xRGMxbdgPo05aXxY0h2Wha+
miT+8ayzST+xZzv3OI3s/SB9YvccPPQa7tfQES96YIblnUm7ZZjBtn3/uiCtOrzl
Wi16SCzDspkzyzeGpLPK6Q9KzsaPKzhYLjFofWy/PX6ryjSJtXb00gTdKNwNCNVB
iOdl8U547oirh4v+cSlZtj2vs/n54eKMhGqJN5WzGTqLgGhPu0nR7yBvHxSnRaZ5
qyj44AKjgXlXSHHgyMIZLUL7+27q67WUdyyygc6eHIVrDws+Sa86lNkPrrNNAVgS
DGCWuow8QhkF7ZkD3sczhPRiSdFXl9iRSN8VfC/iPie/hzUgxfFdG4NdAR4YnDJW
McfageLf0L6G17L5gM9UbDHJyev+udVZ73i9YrRIlLTa5EI7Q2Upt2BE5iR1iWNh
rN+QfO4Ntm0=
=WgIK
-----END PGP SIGNATURE-----