Adobe has released a security update for Adobe Connect. This update resolves an important authentication bypass vulnerability (CVE-2018-4994), which could result in sensitive information disclosure if successfully exploited. This update also resolves an important session management vulnerability due to inadequate validation of Connect meeting session tokens. Finally, the Connect add-in installer prior to 9.7 insecurely loads DLL files, which could be abused to escalate local privileges.
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
|Adobe Connect||9.8.1||All||2||Release note|
Note: As previously mentioned in APSB18-18, a mitigation for CVE-2018-4994 is available to customers by modifying Tomcat filters to prevent remote access to system configuration files. Please refer to this help document for details. Version 9.8.1 includes this configuration change in default configurations.
|Vulnerability Category||Vulnerability Impact||Severity||CVE Number|
|Authentication Bypass||Sensitive Information Disclosure||Important||CVE-2018-4994|
|Authentication Bypass||Session hijacking||Important||CVE-2018-12804|
|Insecure Library Loading||Privilege Escalation||Moderate||CVE-2018-12805|