Bulletin ID
Prenotification Security Advisory for Adobe Acrobat and Reader | APSB23-01
|
Date Published |
Priority |
---|---|---|
Prenotification Security Advisory for Adobe Acrobat and Reader | APSB23-01 |
January 10, 2023 |
3 |
Summary
Adobe is planning to release security updates for Adobe Acrobat and Reader for Windows and macOS on January 10, 2023.
Users may monitor the latest information on the Adobe Product Security Incident Response Team (PSIRT) webpage at https://helpx.adobe.com/security.html
(Note: This Prenotification Security Advisory will be replaced with the Security Bulletin upon release of the update.)
Affected Versions
These updates address critical and important vulnerabilities. Successful exploitation could lead to application denial-of-service, arbitrary code execution, privilege escalation and memory leak.
Adobe will be assigning the following priority ratings to these updates:
Track |
Affected Versions |
Platform |
|
Acrobat DC |
Continuous |
22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions |
Windows & macOS |
Acrobat Reader DC |
Continuous |
|
Windows & macOS |
|
|
||
Acrobat 2020 |
Classic 2020 |
20.005.30418 and earlier versions
|
Windows & macOS |
Acrobat Reader 2020 |
Classic 2020 |
20.005.30418 and earlier versions |
Windows & macOS |
For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page.
--For more information on Adobe Acrobat DC, please visit https://helpx.adobe.com/acrobat/faq.html.
--For more information on Adobe Acrobat Reader DC, please visit https://helpx.adobe.com/reader/faq.html.
Solution
Adobe recommends users update their software installations to the latest versions by following the instructions below.
The latest product versions are available to end users via one of the following methods:
Users can update their product installations manually by choosing Help > Check for Updates.
The products will update automatically, without requiring user intervention, when updates are detected.
The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.
For IT administrators (managed environments):
Refer to the specific release note version for links to installers.
Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
Track |
Updated Versions |
Platform |
Priority Rating |
Availability |
|
Acrobat DC |
Continuous |
22.003.20310 |
Windows and macOS |
3 |
|
Acrobat Reader DC |
Continuous |
22.003.20310 |
Windows and macOS |
3 |
|
|
|
|
|
|
|
Acrobat 2020 |
Classic 2020 |
20.005.30436 |
Windows and macOS |
3 |
|
Acrobat Reader 2020 |
Classic 2020 |
20.005.30436 |
Windows and macOS |
3 |
Vulnerability Details
Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Number |
Integer Overflow or Wraparound (CWE-190) |
Arbitrary code execution |
Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-21579 |
Out-of-bounds Read (CWE-125) |
Memory Leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
CVE-2023-21581 |
Out-of-bounds Read (CWE-125) |
Memory Leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
CVE-2023-21585 |
NULL Pointer Dereference (CWE-476) |
Application denial-of-service |
Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
CVE-2023-21586 |
Stack-based Buffer Overflow (CWE-121) |
Arbitrary code execution |
Critical |
7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-21604 |
Heap-based Buffer Overflow (CWE-122) |
Arbitrary code execution |
Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-21605 |
Out-of-bounds Write (CWE-787) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-21606 |
Improper Input Validation (CWE-20) |
Arbitrary code execution |
Critical |
7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-21607 |
Use After Free (CWE-416) |
Arbitrary code execution |
Critical |
7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-21608 |
Out-of-bounds Write (CWE-787) |
Arbitrary code execution |
Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-21609 |
Stack-based Buffer Overflow (CWE-121) |
Arbitrary code execution |
Critical |
7.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
CVE-2023-21610 |
Violation of Secure Design Principles (CWE-657) |
Privilege escalation |
Important | 6.4 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-21611 |
Violation of Secure Design Principles (CWE-657) |
Privilege escalation |
Important |
5.6 | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N |
CVE-2023-21612 |
Out-of-bounds Read (CWE-125) |
Memory leak |
Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
CVE-2023-21613 |
Out-of-bounds Read (CWE-125) |
Memory leak |
Important |
5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVE-2023-21614 |
Acknowledgements
Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers:
- 0x1byte working with Trend Micro Zero Day Initiative - CVE-2023-21579, CVE-2023-21581, CVE-2023-21605
- Koh M. Nakagawa (Ko Kato) (tsunekoh) - CVE-2023-21611, CVE-2023-21612
- Mat Powell with Trend Micro Zero Day Initiative - CVE-2023-21585, CVE-2023-21606, CVE-2023-21607, CVE-2023-21613, CVE-2023-21614
- KMFL (kmfl) - CVE-2023-21586
- Anonymous working with Trend Micro Zero Day Initiative - CVE-2023-21609
- Vancir (vancir) - CVE-2023-21610
- Ashfaq Ansari and Krishnakant Patil - HackSys Inc working with Trend Micro Zero Day Initiative- CVE-2023-21608
Revisions:
November 7, 2022: Revised acknowledgement for CVE-2022-38437
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.