Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0138 APSB23-01 : Security update available for Adobe Acrobat and Reader 11 January 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe Acrobat and Reader Publisher: Adobe Operating System: Windows macOS Resolution: Patch/Upgrade CVE Names: CVE-2023-21614 CVE-2023-21613 CVE-2023-21612 CVE-2023-21611 CVE-2023-21610 CVE-2023-21609 CVE-2023-21608 CVE-2023-21607 CVE-2023-21606 CVE-2023-21605 CVE-2023-21604 CVE-2023-21586 CVE-2023-21585 CVE-2023-21581 CVE-2023-21579 CVE-2022-38437 Original Bulletin: https://helpx.adobe.com/security/products/acrobat/apsb23-01.html Comment: CVSS (Max): 7.8 CVE-2023-21610 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) CVSS Source: Adobe Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Security update available for Adobe Acrobat and Reader | APSB23-01 Bulletin ID Date Published Priority APSB23-01 January 10, 2023 3 Summary Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to application denial-of-service, arbitrary code execution, privilege escalation and memory leak. Affected Versions Product Track Affected Versions Platform Acrobat DC Continuous 22.003.20282 (Win), 22.003.20281 (Mac) and Windows & earlier versions macOS Acrobat Continuous 22.003.20282 (Win), 22.003.20281 (Mac) and Windows & Reader DC earlier versions macOS Acrobat 2020 Classic 20.005.30418 and earlier versions Windows & 2020 macOS Acrobat Classic 20.005.30418 and earlier versions Windows & Reader 2020 2020 macOS For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page . For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page . Solution Adobe recommends users update their software installations to the latest versions by following the instructions below. The latest product versions are available to end users via one of the following methods: o Users can update their product installations manually by choosing Help > Check for Updates. o The products will update automatically, without requiring user intervention, when updates are detected. o The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center . For IT administrators (managed environments): o Refer to the specific release note version for links to installers. o Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH. Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version: Product Track Updated Platform Priority Availability Versions Rating Acrobat DC Continuous 22.003.20310 Windows and 3 Release macOS Notes Acrobat Reader Continuous 22.003.20310 Windows and 3 Release DC macOS Notes Acrobat 2020 Classic 20.005.30436 Windows and 3 Release 2020 macOS Notes Acrobat Reader Classic 20.005.30436 Windows and 3 Release 2020 2020 macOS Notes Vulnerability Details Vulnerability Category Vulnerability Impact Severity CVSS base CVSS vector CVE Number score Integer Overflow or Wraparound ( CWE-190 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21579 Out-of-bounds Read ( CWE-125 ) Memory Leak Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2023-21581 Out-of-bounds Read ( CWE-125 ) Memory Leak Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2023-21585 NULL Pointer Dereference ( CWE-476 ) Application Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2023-21586 denial-of-service Stack-based Buffer Overflow ( CWE-121 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21604 Heap-based Buffer Overflow ( CWE-122 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21605 Out-of-bounds Write ( CWE-787 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21606 Improper Input Validation ( CWE-20 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21607 Use After Free ( CWE-416 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21608 Out-of-bounds Write ( CWE-787 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21609 Stack-based Buffer Overflow ( CWE-121 ) Arbitrary code execution Critical 7.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2023-21610 Violation of Secure Design Principles ( Privilege escalation Important 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H CVE-2023-21611 CWE-657 ) Violation of Secure Design Principles ( Privilege escalation Important 5.6 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N CVE-2023-21612 CWE-657 ) Out-of-bounds Read ( CWE-125 ) Memory leak Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2023-21613 Out-of-bounds Read ( CWE-125 ) Memory leak Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-21614 Acknowledgements Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers: o 0x1byte working with Trend Micro Zero Day Initiative - CVE-2023-21579, CVE-2023-21581, CVE-2023-21605 o Koh M. Nakagawa (Ko Kato) (tsunekoh) - CVE-2023-21611, CVE-2023-21612 o Mat Powell with Trend Micro Zero Day Initiative - CVE-2023-21585, CVE-2023-21606, CVE-2023-21607, CVE-2023-21613, CVE-2023-21614 o KMFL (kmfl) - CVE-2023-21586 o Anonymous working with Trend Micro Zero Day Initiative - CVE-2023-21609 o Vancir (vancir) - CVE-2023-21610 o Ashfaq Ansari and Krishnakant Patil - HackSys Inc working with Trend Micro Zero Day Initiative- CVE-2023-21608 Revisions: November 7, 2022: Revised acknowledgement for CVE-2022-38437 For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY74RdckNZI30y1K9AQi2xBAAljy+tYsnHnc8bn7YWnI6wgfJoVmB8I6X 0jHLWHJzs5bL9C8LKAMj1ITkj2lRUOkaFzR4SYAfSDFnOdujVBWaBUpBFBq7gnuo zBgaUgyWhJPDi6nENhCzjQTHNqsVkqlv1OPuN8U46Ojxhtomjpo8NQChchuptPzz Ma+QZwxKwx5eiax/l1lbgmgw7/zRs9vST8aww2JGV84pGAAUCxdFxl0inXIMYbld zb6Ix/j513cQ4KIWWdY1phn5piUllPyGPPgSmCOH3xRGMxbdgPo05aXxY0h2Wha+ miT+8ayzST+xZzv3OI3s/SB9YvccPPQa7tfQES96YIblnUm7ZZjBtn3/uiCtOrzl Wi16SCzDspkzyzeGpLPK6Q9KzsaPKzhYLjFofWy/PX6ryjSJtXb00gTdKNwNCNVB iOdl8U547oirh4v+cSlZtj2vs/n54eKMhGqJN5WzGTqLgGhPu0nR7yBvHxSnRaZ5 qyj44AKjgXlXSHHgyMIZLUL7+27q67WUdyyygc6eHIVrDws+Sa86lNkPrrNNAVgS DGCWuow8QhkF7ZkD3sczhPRiSdFXl9iRSN8VfC/iPie/hzUgxfFdG4NdAR4YnDJW McfageLf0L6G17L5gM9UbDHJyev+udVZ73i9YrRIlLTa5EI7Q2Upt2BE5iR1iWNh rN+QfO4Ntm0= =WgIK -----END PGP SIGNATURE-----