Adobe Security Bulletin

Last updated on

Security update available for Adobe Acrobat and Reader | APSB21-09

Bulletin ID	Date Published	Priority
APSB21-09	February 09, 2021	1

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Adobe has received a report that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.

Affected Versions

Product	Track	Affected Versions	Platform
Acrobat DC	Continuous	2020.013.20074 and earlier versions	Windows & macOS
Acrobat Reader DC	Continuous	2020.013.20074 and earlier versions	Windows & macOS

Acrobat 2020	Classic 2020	2020.001.30018 and earlier versions	Windows & macOS
Acrobat Reader 2020	Classic 2020	2020.001.30018 and earlier versions	Windows & macOS

Acrobat 2017	Classic 2017	2017.011.30188  and earlier versions	Windows & macOS
Acrobat Reader 2017	Classic 2017	2017.011.30188  and earlier versions	Windows & macOS

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

Users can update their product installations manually by choosing Help > Check for Updates.     
The products will update automatically, without requiring user intervention, when updates are detected.     
The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

For IT administrators (managed environments):     

Refer to the specific release note version for links to installers.     
Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product	Track	Updated Versions	Platform	Priority Rating	Availability
Acrobat DC	Continuous	2021.001.20135	Windows and macOS	1	Release Notes
Acrobat Reader DC	Continuous	2021.001.20135	Windows and macOS	1	Release Notes

Acrobat 2020	Classic 2020	2020.001.30020	Windows and macOS	1	Release Notes
Acrobat Reader 2020	Classic 2020	2020.001.30020	Windows and macOS	1	Release Notes

Acrobat 2017	Classic 2017	2017.011.30190	Windows and macOS	1	Release Notes
Acrobat Reader 2017	Classic 2017	2017.011.30190	Windows and macOS	1	Release Notes

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	CVE Number
Buffer overflow	Application denial-of-service	Important	CVE-2021-21046
Heap-based Buffer Overflow	Arbitrary code execution	Critical	CVE-2021-21017
Path Traversal	Arbitrary code execution	Critical	CVE-2021-21037
Integer Overflow	Arbitrary code execution	Critical	CVE-2021-21036
Improper Access Control	Privilege escalation	Critical	CVE-2021-21045
Out-of-bounds Read	Privilege escalation	Important	CVE-2021-21042 CVE-2021-21034 CVE-2021-21089 CVE-2021-40723
Use-after-free	Information Disclosure	Important	CVE-2021-21061
Out-of-bounds Write	Arbitrary code execution	Critical	CVE-2021-21044 CVE-2021-21038 CVE-2021-21086
Buffer overflow	Arbitrary code execution	Critical	CVE-2021-21058 CVE-2021-21059 CVE-2021-21062 CVE-2021-21063
NULL Pointer Dereference	Information Disclosure	Important	CVE-2021-21057
Improper Input Validation	Information Disclosure	Important	CVE-2021-21060
Use After Free	Arbitrary code execution	Critical	CVE-2021-21041 CVE-2021-21040 CVE-2021-21039 CVE-2021-21035 CVE-2021-21033 CVE-2021-21028 CVE-2021-21021 CVE-2021-21088
Missing Support for Integrity Check	Security feature bypass	Important	CVE-2021-28545 CVE-2021-28546

Acknowledgements

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers.

Anonymously reported (CVE-2021-21017)
Nipun Gupta, Ashfaq Ansari, and Krishnakant Patil - CloudFuzz (CVE-2021-21041)
Mark Vincent Yason (@MarkYason) working with Trend Micro Zero Day Initiative (CVE-2021-21042, CVE-2021-21034, CVE-2021-21089)
Xu Peng from UCAS and Wang Yanhao from QiAnXin Technology Research Institute working with Trend Micro Zero Day Initiative (CVE-2021-21035, CVE-2021-21033, CVE-2021-21028, CVE-2021-21021)
AIOFuzzer working with Trend Micro Zero Day Initiative (CVE-2021-21044, CVE-2021-21061, CVE-2021-21088)
360CDSRC in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21037)
Will Dormann of CERT/CC (CVE-2021-21045)
Xuwei Liu (shellway) (CVE-2021-21046)
胖 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21040)
360政企安全漏洞研究院 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21039)
蚂蚁安全光年实验室基础研究小组 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21038)
CodeMaster in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21036)
Xinyu Wan (wxyxsx) (CVE-2021-21057)
Haboob Labs (CVE-2021-21060)
Ken Hsu of Palo Alto Networks (CVE-2021-21058)
Ken Hsu of Palo Alto Networks, Heige (a.k.a. SuperHei) of Knwonsec 404 Team (CVE-2021-21059)
Ken Hsu, Bo Qu of Palo Alto Networks (CVE-2021-21062)
Ken Hsu, Zhibin Zhang of Palo Alto Networks (CVE-2021-21063)
Mateusz Jurczyk from Google Project Zero (CVE-2021-21086)
Simon Rohlmann, Vladislav Mladenov, Christian Mainka and Jörg Schwenk Chair for Network and Data Security, Ruhr University Bochum (CVE-2021-28545, CVE-2021-28546)

Revisions

February 10, 2021: Updated acknowledgements for CVE-2021-21058, CVE-2021-21059, CVE-2021-21062, CVE-2021-21063.

March 10, 2021: Updated acknowledgement for CVE-2021-21035, CVE-2021-21033, CVE-2021-21028, CVE-2021-21021

March 17, 2021: Added details for CVE-2021-21086, CVE-2021-21088 and CVE-2021-21089.

March 26, 2021: Added details for CVE-2021-28545 and CVE-2021-28546.

September 29, 2021: Added details for CVE-2021-40723

Adobe

Get help faster and easier

New user?