Overview
On February 12, local time, Adobe officially released security bulletins and advisories to announce security updates to patch multiple vulnerabilities in such products as Adobe Flash Player, Adobe Creative Cloud Desktop Application, ColdFusion, and Adobe Acrobat and Reader.
For details about the security bulletins and advisories, visit the following link:
https://helpx.adobe.com/security.html
Vulnerabilities
Adobe Flash Player
Adobe has released a security update for Adobe Flash Player on Windows, macOS, Linux, and Chrome OS platforms. Successful exploitation of these vulnerabilities could lead to the disclosure of information of the current user.
Vulnerability details are as follows:
Vulnerability Impact | Vulnerability Type | Severity Level | CVE ID |
Information disclosure | Out-of-bounds read | Important | CVE-2019-7090 |
- Affected versions: V32.0.0.114 and earlier
- Unaffected versions
Product | Version | Platform |
Adobe Flash Player Desktop Runtime | 32.0.0.142 | Windows and macOS |
Adobe Flash Player for Google Chrome | 32.0.0.142 | Windows, macOS, Linux, and Chrome OS |
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 | 32.0.0.144 | Windows 10 and 8.1 |
Adobe Flash Player Desktop Runtime | 32.0.0.142 | Linux |
Reference link:
https://helpx.adobe.com/security/products/flash-player/apsb19-06.html
Adobe Creative Cloud Desktop Application
Adobe has released a security update available for the Creative Cloud Desktop Application on Windows. This update addresses an insecure library loading vulnerability in this installer which could lead to privilege escalation.
Vulnerability details are as follows:
Vulnerability Impact | Vulnerability Type | Severity Level | CVE ID |
Privilege escalation | Insecure library loading (DLL hijacking) | Important | CVE-2019-7093 |
- Affected versions: V4.7.0.400 and earlier
- Unaffected version: V4.8.0.410
Reference link:
https://helpx.adobe.com/security/products/creative-cloud/apsb19-11.html
ColdFusion
Adobe has released security updates for ColdFusion 2018, 2016, and 11 to patch a vulnerability that could lead to arbitrary code execution.
Vulnerability details are as follows:
Vulnerability Impact | Vulnerability Type | Severity Level | CVE ID |
Arbitrary code execution | Untrusted data deserialization | Critical | CVE-2019-7091 |
Information disclosure | Cross-site scripting | Important | CVE-2019-7092 |
- Affected versions:
Product | Version | Platform |
ColdFusion 2018 | <= Update 1 | All |
ColdFusion 2016 | <= Update 7 | All |
ColdFusion 11 | <= Update 15 | All |
- Unaffected versions:
Product | Version | Platform |
ColdFusion 2018 | Update 2 | All |
ColdFusion 2016 | Update 8 | All |
ColdFusion 11 | Update 16 | All |
Reference link:
https://helpx.adobe.com/security/products/coldfusion/apsb19-10.html
Adobe Acrobat and Reader
Adobe has released security updates for Adobe Acrobat and Reader on Windows and macOS.
Vulnerability details are as follows:
Vulnerability Impact | Vulnerability Type | Severity Level | CVE ID |
Arbitrary code execution | Buffer overflow | Critical | CVE-2019-7020
CVE-2019-7085 |
Information disclosure | Sensitive data disclosure | Critical | CVE-2019-7089 |
Arbitrary code execution | Double free | Critical | CVE-2019-7080 |
Information disclosure | Integer overflow | Critical | CVE-2019-7030 |
Information disclosure |
Out-of-bounds read |
Important | CVE-2019-7021
CVE-2019-7022 CVE-2019-7023 CVE-2019-7024 CVE-2019-7028 CVE-2019-7032 CVE-2019-7033 CVE-2019-7034 CVE-2019-7035 CVE-2019-7036 CVE-2019-7038 CVE-2019-7045 CVE-2019-7047 CVE-2019-7049 CVE-2019-7053 CVE-2019-7055 CVE-2019-7056 CVE-2019-7057 CVE-2019-7058 CVE-2019-7059 CVE-2019-7063 CVE-2019-7064 CVE-2019-7065 CVE-2019-7067 CVE-2019-7071 CVE-2019-7073 CVE-2019-7074 CVE-2019-7081 |
Privilege escalation | Security bypass | Critical | CVE-2018-19725
CVE-2019-7041 |
Arbitrary code execution |
Out-of-bounds write |
Critical | CVE-2019-7019
CVE-2019-7027 CVE-2019-7037 CVE-2019-7039 CVE-2019-7052 CVE-2019-7060 CVE-2019-7079 |
Arbitrary code execution |
Type confusion |
Critical | CVE-2019-7069
CVE-2019-7086 CVE-2019-7087 |
Arbitrary code execution |
Untrusted pointer dereference |
Critical | CVE-2019-7042
CVE-2019-7046 CVE-2019-7051 CVE-2019-7054 CVE-2019-7066 CVE-2019-7076 |
Arbitrary code execution |
Use after free |
Critical | CVE-2019-7018
CVE-2019-7025 CVE-2019-7026 CVE-2019-7029 CVE-2019-7031 CVE-2019-7040 CVE-2019-7043 CVE-2019-7044 CVE-2019-7048 CVE-2019-7050 CVE-2019-7062 CVE-2019-7068 CVE-2019-7070 CVE-2019-7072 CVE-2019-7075 CVE-2019-7077 CVE-2019-7078 CVE-2019-7082 CVE-2019-7083 CVE-2019-7084 |
- Affected versions:
Product | Version | Platform |
Acrobat DC | <= 2019.010.20069 | Windows and macOS |
Acrobat Reader DC | <= 2019.010.20069 | Windows and macOS |
Acrobat 2017 | <= 2017.011.30113 | Windows and macOS |
Acrobat Reader 2017 | <= 2017.011.30113 | Windows and macOS |
- Unaffected versions:
Product | Version | Platform |
Acrobat DC | 2019.010.20091 | Windows and macOS |
Acrobat Reader DC | 2019.010.20091 | Windows and macOS |
Acrobat 2017 | 2017.011.30120 | Windows and macOS |
Acrobat Reader 2017 | 2017.011.30120 | Windows and macOS |
Reference link:
https://helpx.adobe.com/security/products/acrobat/apsb19-07.html
Solution
Adobe has officially released security updates to fix the preceding vulnerabilities. Users are advised to update their installation to the latest versions as soon as possible.
For vulnerability details and operations, please visit official links of each vulnerable product.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
https://www.nsfocusglobal.com.
NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.