SB2021071320 - Multiple vulnerabilities in Adobe Acrobat and Reader

Security Bulletin ID SB2021071320

Severity

High

Patch available

YES

Number of vulnerabilities 19

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 19 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2021-35988)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

2) Heap-based buffer overflow (CVE-ID: CVE-2021-28638)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a heap-based buffer overflow and execute arbitrary code on the system.

3) Use-after-free (CVE-ID: CVE-2021-28635)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

4) Use-after-free (CVE-ID: CVE-2021-35981)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

5) Use-after-free (CVE-ID: CVE-2021-35983)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

6) Command injection (CVE-ID: CVE-2021-28634)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation. A local user can execute arbitrary OS commands and escalate privileges on the system.

7) Insecure DLL loading (CVE-ID: CVE-2021-28636)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the application loads DLL libraries in an insecure manner. A remote attacker can place a specially crafted .dll file on a remote SMB fileshare, trick the victim into opening a file, associated with the vulnerable application, and execute arbitrary code on victim's system.

8) NULL pointer dereference (CVE-ID: CVE-2021-35984)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.

9) NULL pointer dereference (CVE-ID: CVE-2021-35985)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.

10) Type confusion (CVE-ID: CVE-2021-35986)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition within the getAnnots method when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a type confusion error and execute arbitrary code on the system.

11) Out-of-bounds read (CVE-ID: CVE-2021-35987)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

12) Out-of-bounds read (CVE-ID: CVE-2021-28637)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

13) Out-of-bounds write (CVE-ID: CVE-2021-28642)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger an Out-of-bounds write error and execute arbitrary code on the system.

14) Use-after-free (CVE-ID: CVE-2021-28639)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

15) Use-after-free (CVE-ID: CVE-2021-28641)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

16) Type confusion (CVE-ID: CVE-2021-28643)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a type confusion error and execute arbitrary code on the system.

17) Use-after-free (CVE-ID: CVE-2021-28640)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to a boundary condition when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document, trigger a use-after-free error and execute arbitrary code on the system.

18) Path traversal (CVE-ID: CVE-2021-28644)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an input validation error when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document and overwrite arbitrary files on the system.

19) Path traversal (CVE-ID: CVE-2021-35980)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an input validation error when processing PDF files. A remote attacker can trick the victim to open a specially crafted PDF document and overwrite arbitrary files on the system.

Remediation

Install update from vendor's website.

SB2021071320 - Multiple vulnerabilities in Adobe Acrobat and Reader

Breakdown by Severity

Description

Remediation

References

Please verify you're human