Security updates available for Adobe Connect | APSB18-22
Bulletin ID Date Published Priority
APSB18-22 July 10, 2018 2

Summary

Adobe has released a security update for Adobe Connect.  This update resolves an important authentication bypass vulnerability (CVE-2018-4994), which could result in sensitive information disclosure if successfully exploited.  This update also resolves an important session management vulnerability due to inadequate validation of Connect meeting session tokens.  Finally, the Connect add-in installer prior to 9.7 insecurely loads DLL files, which could be abused to escalate local privileges. 

Affected product versions

Product Version Platform
Adobe Connect 9.7.5 and earlier All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:

Product Version Platform Priority Availability
Adobe Connect 9.8.1  All 2 Release note

Note: As previously mentioned in APSB18-18, a mitigation for CVE-2018-4994 is available to customers by modifying Tomcat filters to prevent remote access to system configuration files.  Please refer to this help document for details. Version 9.8.1 includes this configuration change in default configurations. 

Vulnerability details

Vulnerability Category Vulnerability Impact Severity CVE Number
Authentication Bypass Sensitive Information Disclosure Important CVE-2018-4994
Authentication Bypass Session hijacking Important CVE-2018-12804
Insecure Library Loading Privilege Escalation Moderate CVE-2018-12805

Note: CVE-2018-12805 was resolved in the Connect add-in installer version 9.7.  

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

  • Tanner LLC (CVE-2018-4994) 

  • BlackWingCat (CVE-2018-12805)