Adobe Out-of-Band Patch Tackling Critical Vulnerabilities in Multiple Products Threat Alert

Adobe Out-of-Band Patch Tackling Critical Vulnerabilities in Multiple Products Threat Alert

May 11, 2020 | Mina Hao

Overview

On April 28, local time, Adobe released an out-of-band patch tackling multiple vulnerabilities in Magento, Adobe Illustrator, and Adobe Bridge.

For details about the security bulletins and advisories, visit the following link:

https://helpx.adobe.com/security.html

Vulnerability Description

Magento

Adobe released an out-of-band patch tackling 10 critical and important vulnerabilities in Magento.

The following updates are rated as Priority 2. (For the definition of priorities, see Adobe Priority Rating System).

Vulnerability details are as follows:

Vulnerability CategoryVulnerability ImpactSeverity LevelPre-authenticationAdministrative PrivilegeCVE ID
Command injectionArbitrary code executionCriticalNoYesCVE-2020-9576
Command injectionArbitrary code executionCriticalNoYesCVE-2020-9578 
Security mitigation bypassArbitrary code executionCriticalNoYesCVE-2020-9579
Security mitigation bypassArbitrary code executionCriticalNoYesCVE-2020-9580
Command injectionArbitrary code executionCriticalNoYesCVE-2020-9582
Command injectionArbitrary code executionCriticalNoYesCVE-2020-9583
XSS(Stored)Sensitive information disclosureImportantYesNoCVE-2020-9577
XSS(Stored)Sensitive information disclosureImportantNoYesCVE-2020-9581
XSS(Stored)Sensitive information disclosureImportantYesNoCVE-2020-9584
Observable time differenceSignature authentication bypassImportantNoYesCVE-2020-9588

For details on the vulnerability impact and remediation, refer to the security bulletin at the following link:

https://helpx.adobe.com/security/products/magento/apsb20-22.html

Adobe Illustrator

Adobe released an out-of-band patch, tackling five critical vulnerabilities in Adobe Illustrator.

The following updates are rated as Priority 3. (For the definition of priorities, see Adobe Priority Rating System).

Vulnerability details are as follows:

Vulnerability CategoryVulnerability ImpactSeverity LevelCVE ID
Memory corruptionArbitrary code executionCritical CVE-2020-9570 CVE-2020-9571 CVE-2020-9572 CVE-2020-9573 CVE-2020-9574

For details on the vulnerability impact and remediation, refer to the security bulletin at the following link:

https://helpx.adobe.com/security/products/illustrator/apsb20-20.html

Adobe Bridge

Adobe released an out-of-band patch, tackling 17 critical and important vulnerabilities in Adobe Bridge.

The following updates are rated as Priority 3. (For the definition of priorities, see Adobe Priority Rating System).

Vulnerability details are as follows:

Vulnerability CategoryVulnerability ImpactSeverity LevelCVE ID
Stack-based buffer overflowArbitrary code executionCriticalCVE-2020-9555
Heap overflowArbitrary code executionCriticalCVE-2020-9562 CVE-2020-9563
Memory corruptionArbitrary code executionCriticalCVE-2020-9568
Out-of-bounds writeArbitrary code executionCriticalCVE-2020-9554 CVE-2020-9556 CVE-2020-9559 CVE-2020-9560 CVE-2020-9561 CVE-2020-9564 CVE-2020-9565 CVE-2020-9569
UAFArbitrary code executionCriticalCVE-2020-9566 CVE-2020-9567
Out-of-bounds readInformation disclosureImportantCVE-2020-9553 CVE-2020-9557 CVE-2020-9558

For details on the vulnerability impact and remediation, refer to the security bulletin at the following link:

https://helpx.adobe.com/security/products/bridge/apsb20-19.html

Solution

Adobe has released new versions to patch the vulnerability in question. Users are advised to upgrade according to the time provided in the Adobe Priority Rating System.

For vulnerability details and remediation, please visit the preceding security bulletin links.

Adobe Priority Rating System

The Adobe Priority Rating System is a guideline to help our customers in managed environments prioritize Adobe security updates. We base our priority rankings on historical attack patterns for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that are in place.

RatingDescription
Priority 1This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible (for example, within 72 hours).
Priority 2This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).
Priority 3This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.
https://helpx.adobe.com/security/severity-ratings.html

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.