Adobe Security Bulletin

Last updated on

Security update available for Adobe Acrobat and Reader | APSB21-29

Bulletin ID	Date Published	Priority
APSB21-29	May 11, 2021	1

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Adobe has received a report that CVE-2021-28550 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.

Affected Versions

Product	Track	Affected Versions	Platform
Acrobat DC	Continuous	2021.001.20150 and earlier versions	Windows
Acrobat Reader DC	Continuous	2021.001.20150 and earlier versions	Windows
Acrobat DC	Continuous	2021.001.20149 and earlier  versions	macOS
Acrobat Reader DC	Continuous	2021.001.20149 and earlier  versions	macOS

Acrobat 2020	Classic 2020	2020.001.30020 and earlier versions	Windows & macOS
Acrobat Reader 2020	Classic 2020	2020.001.30020 and earlier versions	Windows & macOS

Acrobat 2017	Classic 2017	2017.011.30194  and earlier versions	Windows & macOS
Acrobat Reader 2017	Classic 2017	2017.011.30194  and earlier versions	Windows & macOS

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

Users can update their product installations manually by choosing Help > Check for Updates.     
The products will update automatically, without requiring user intervention, when updates are detected.     
The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.

For IT administrators (managed environments):     

Refer to the specific release note version for links to installers.     
Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product	Track	Updated Versions	Platform	Priority Rating	Availability
Acrobat DC	Continuous	2021.001.20155	Windows and macOS	1	Release Notes
Acrobat Reader DC	Continuous	2021.001.20155	Windows and macOS	1	Release Notes

Acrobat 2020	Classic 2020	2020.001.30025	Windows and macOS	1	Release Notes
Acrobat Reader 2020	Classic 2020	2020.001.30025	Windows and macOS	1	Release Notes

Acrobat 2017	Classic 2017	2017.011.30196	Windows and macOS	1	Release Notes
Acrobat Reader 2017	Classic 2017	2017.011.30196	Windows and macOS	1	Release Notes

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	CVE Number
Out-of-bounds Write	Arbitrary code execution	Important	CVE-2021-28561
Heap-based Buffer Overflow	Arbitrary code execution	Critical	CVE-2021-28560
Heap-based Buffer Overflow	Arbitrary code execution	Important	CVE-2021-28558
Out-of-bounds Read	Memory leak	Critical	CVE-2021-28557
Out-of-bounds Read	Arbitrary file system read	Important	CVE-2021-28555
Out-of-bounds Read	Arbitrary code execution	Critical	CVE-2021-28565
Out-of-bounds Write	Arbitrary code execution	Critical	CVE-2021-28564
Out-of-bounds Write	Arbitrary code execution	Critical	CVE-2021-21044 CVE-2021-21038
Exposure of Private Information	Privilege escalation	Important	CVE-2021-28559
Use After Free	Arbitrary code execution	Critical	CVE-2021-28562 CVE-2021-28550 CVE-2021-28553

Acknowledgements

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers.

Anonymously reported (CVE-2021-28550)
Aleksandar Nikolic of Cisco Talos. (CVE-2021-28562)
Xu peng (xupeng_1231) (CVE-2021-28561)
chutchut (CVE-2021-28559)
fr0zenrain of Baidu Security (CVE-2021-28560)
Haboob Labs (CVE-2021-28557, CVE-2021-28564, CVE-2021-28565, CVE-2021-28553, , CVE-2021-28558, CVE-2021-28555)

Adobe

Get help faster and easier

New user?