Security update available for Adobe Acrobat and Reader | APSB21-09
Bulletin ID Date Published Priority
APSB21-09 February 09, 2021 1

Summary

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical and  important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.       

Adobe has received a report that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.

Affected Versions

Product Track Affected Versions Platform
Acrobat DC  Continuous 

2020.013.20074 and earlier versions          
Windows & macOS
Acrobat Reader DC Continuous  2020.013.20074 and earlier versions          
Windows & macOS
       
Acrobat 2020
Classic 2020           
2020.001.30018 and earlier versions
Windows & macOS
Acrobat Reader 2020
Classic 2020           
2020.001.30018 and earlier versions
Windows & macOS
       
Acrobat 2017 Classic 2017 2017.011.30188  and earlier versions          
Windows & macOS
Acrobat Reader 2017 Classic 2017 2017.011.30188  and earlier versions          
Windows & macOS

Solution

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

  • Users can update their product installations manually by choosing Help > Check for Updates.     

  • The products will update automatically, without requiring user intervention, when updates are detected.      

  • The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     

For IT administrators (managed environments):     

  • Refer to the specific release note version for links to installers.     

  • Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     

   

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

Product Track Updated Versions Platform Priority Rating Availability
Acrobat DC Continuous

2021.001.20135       

Windows and macOS 1 Release Notes     
Acrobat Reader DC Continuous 2021.001.20135   
Windows and macOS 1 Release Notes     
           
Acrobat 2020
Classic 2020           
2020.001.30020 
Windows and macOS     
1 Release Notes     
Acrobat Reader 2020
Classic 2020           
2020.001.30020 
Windows and macOS     
1 Release Notes     
           
Acrobat 2017 Classic 2017 2017.011.30190  
Windows and macOS 1 Release Notes     
Acrobat Reader 2017 Classic 2017 2017.011.30190  
Windows and macOS 1 Release Notes     

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number
Buffer overflow
Application denial-of-service
Important
CVE-2021-21046
Heap-based Buffer Overflow
Arbitrary code execution
Critical
CVE-2021-21017
Path Traversal
Arbitrary code execution
Critical
CVE-2021-21037
Integer Overflow
Arbitrary code execution
Critical
CVE-2021-21036
Improper Access Control
Privilege escalation
Critical
CVE-2021-21045
Out-of-bounds Read
Privilege escalation
Important

CVE-2021-21042

CVE-2021-21034

Use-after-free
Information Disclosure
Important
CVE-2021-21061
Out-of-bounds Write
Arbitrary code execution
Critical

CVE-2021-21044

CVE-2021-21038

Buffer overflow
Arbitrary code execution
Critical

CVE-2021-21058

CVE-2021-21059

CVE-2021-21062

CVE-2021-21063

NULL Pointer Dereference
Information Disclosure
Important
CVE-2021-21057
Improper Input Validation
Information Disclosure
Important
CVE-2021-21060
Use After Free
Arbitrary code execution
Critical

CVE-2021-21041

CVE-2021-21040

CVE-2021-21039

CVE-2021-21035

CVE-2021-21033

CVE-2021-21028

CVE-2021-21021

Acknowledgements

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers. 

  • Anonymously reported (CVE-2021-21017)
  • Nipun Gupta, Ashfaq Ansari, and Krishnakant Patil - CloudFuzz (CVE-2021-21041)
  • Mark Vincent Yason (@MarkYason) working with Trend Micro Zero Day Initiative (CVE-2021-21042, CVE-2021-21034)
  • Fenghan_zuijinyoukongma_woxiangyueniyiqichifankandianying working with Trend Micro Zero Day Initiative (CVE-2021-21035, CVE-2021-21033, CVE-2021-21028, CVE-2021-21021)
  • AIOFuzzer working with Trend Micro Zero Day Initiative (CVE-2021-21044, CVE-2021-21061)
  • 360CDSRC in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21037)
  • Will Dormann of CERT/CC (CVE-2021-21045)
  •  Xuwei Liu (shellway) (CVE-2021-21046)
  • 胖 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21040)
  • 360政企安全漏洞研究院 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21039)
  • 蚂蚁安全光年实验室基础研究小组 in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21038)
  • CodeMaster in Tianfu Cup 2020 International Cybersecurity Contest (CVE-2021-21036)
  •  Xinyu Wan (wxyxsx) (CVE-2021-21057)
  • Haboob Labs (CVE-2021-21060)
  • Ken Hsu of Palo Alto Networks (CVE-2021-21058)
  • Ken Hsu of Palo Alto Networks, Heige (a.k.a. SuperHei) of Knwonsec 404 Team (CVE-2021-21059)
  • Ken Hsu, Bo Qu of Palo Alto Networks (CVE-2021-21062)
  • Ken Hsu, Zhibin Zhang of Palo Alto Networks (CVE-2021-21063)

Revisions

February 10, 2021: Updated acknowledgements for CVE-2021-21058, CVE-2021-21059, CVE-2021-21062, CVE-2021-21063.