Adobe Security Bulletin

Security updates available for Adobe Connect | APSB18-22

Bulletin ID	Date Published	Priority
APSB18-22	July 10, 2018	2

Adobe has released a security update for Adobe Connect. This update resolves an important authentication bypass vulnerability (CVE-2018-4994), which could result in sensitive information disclosure if successfully exploited. This update also resolves an important session management vulnerability due to inadequate validation of Connect meeting session tokens. Finally, the Connect add-in installer prior to 9.7 insecurely loads DLL files, which could be abused to escalate local privileges.

Product	Version	Platform
Adobe Connect	9.7.5 and earlier	All

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product	Version	Platform	Priority	Availability
Adobe Connect	9.8.1	All	2	Release note

Note: As previously mentioned in APSB18-18, a mitigation for CVE-2018-4994 is available to customers by modifying Tomcat filters to prevent remote access to system configuration files. Please refer to this help document for details. Version 9.8.1 includes this configuration change in default configurations.

Vulnerability Category	Vulnerability Impact	Severity	CVE Number
Authentication Bypass	Sensitive Information Disclosure	Important	CVE-2018-4994
Authentication Bypass	Session hijacking	Important	CVE-2018-12804
Insecure Library Loading	Privilege Escalation	Moderate	CVE-2018-12805

Note: CVE-2018-12805 was resolved in the Connect add-in installer version 9.7.

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

Tanner LLC (CVE-2018-4994)
BlackWingCat (CVE-2018-12805)

Adobe Security Bulletin

Summary

Affected product versions

Solution

Vulnerability details

Acknowledgments

Ask the Community

Contact Us