Overview
On August 13, 2019, local time, Adobe officially released August’s security updates to fix multiple vulnerabilities in its various products, including Adobe Photoshop CC , Adobe Experience Manager, Adobe Acrobat and Reader, Adobe Creative Cloud Desktop Application, Adobe Prelude CC, Adobe Premiere Pro CC, Adobe Character Animator CC, and Adobe After Effects CC.
For details about the security bulletins and advisories, visit the following link:
https://helpx.adobe.com/security.html
Fixed Vulnerabilities
Adobe Photoshop CC
Adobe has released security updates for Adobe Photoshop CC that address 34 vulnerabilities listed in the following table:
Vulnerability details are as follows:
| Vulnerability Category | Vulnerability Impact | Severity Level | CVE ID |
| Heap overflow | Arbitrary code execution | Critical | CVE-2019-7978
CVE-2019-7980 CVE-2019-7985 CVE-2019-7990 CVE-2019-7993 |
| Type confusion | Arbitrary code execution | Critical | CVE-2019-7969
CVE-2019-7970 CVE-2019-7971 CVE-2019-7972 CVE-2019-7973 CVE-2019-7974 CVE-2019-7975 |
| Out-of-bounds read | Memory leak | Important | CVE-2019-7977
CVE-2019-7981 CVE-2019-7987 CVE-2019-7991 CVE-2019-7992 CVE-2019-7995 CVE-2019-7996 CVE-2019-7997 CVE-2019-7998 CVE-2019-7999 CVE-2019-8000 CVE-2019-8001 |
| Command injection | Arbitrary code execution | Critical | CVE-2019-7968
CVE-2019-7989 |
| Out-of-bounds write | Arbitrary code execution | Critical | CVE-2019-7976
CVE-2019-7979 CVE-2019-7982 CVE-2019-7983 CVE-2019-7984 CVE-2019-7986 CVE-2019-7988 CVE-2019-7994 |
- Affected versions:
Photoshop CC version <= 19.1.8
Photoshop CC version <= 20.0.5
- Unaffected versions:
Photoshop CC version 19.1.9
Photoshop CC version 20.0.6
For details about the vulnerability impact and remediation, refer to the security bulletin from the following link:
https://helpx.adobe.com/security/products/photoshop/apsb19-44.html
Adobe Experience Manager
Adobe has released security updates for Adobe Experience Manager that address one vulnerability listed in the following table:
Vulnerability details are as follows:
| Vulnerability Category | Vulnerability Impact | Severity Level | CVE ID |
| Authentication bypass | Remote code execution | Critical | CVE-2019-7964 |
- Affected versions:
Adobe Experience Manager 6.5 and 6.4
- Unaffected versions:
The hotfix of Adobe Experience Manager 6.5, HOTFIX 30379 for AEM 6.5.0
https://www.adobeaemcloud.com/content/packageshare/tools/login.html?resource=%2Fcontent%2Fmarketplace%2FmarketplaceProxy.html%3FpackagePath%3D%2Fcontent%2Fcompanies%2Fpublic%2Fadobe%2Fpackages%2Fcq650%2Fhotfix%2Fcq-6.5.0-hotfix-30379&$$login$$=%24%24login%24%24
The hotfix of Adobe Experience Manager 6.4, HOTFIX 30379 for AEM 6.4.0
https://www.adobeaemcloud.com/content/packageshare/tools/login.html?resource=%2Fcontent%2Fmarketplace%2FmarketplaceProxy.html%3FpackagePath%3D%2Fcontent%2Fcompanies%2Fpublic%2Fadobe%2Fpackages%2Fcq640%2Fhotfix%2Fcq-6.4.0-hotfix-30379&$$login$$=%24%24login%24%24
For details about the vulnerability impact and remediation, refer to the security bulletin from the following link:
https://helpx.adobe.com/security/products/experience-manager/apsb19-42.html
Adobe Acrobat and Reader
Adobe has released security updates for Adobe Flash Player that address multiple vulnerabilities listed in the following table:
Vulnerability details are as follows:
| Vulnerability Category | Vulnerability Impact | Severity Level | CVE ID |
| Out-of-bounds read | Information disclosure | Important | CVE-2019-8077
CVE-2019-8094 CVE-2019-8095 CVE-2019-8096 CVE-2019-8102 CVE-2019-8103 CVE-2019-8104 CVE-2019-8105 CVE-2019-8106 CVE-2019-8002 CVE-2019-8004 CVE-2019-8005 CVE-2019-8007 CVE-2019-8010 CVE-2019-8011 CVE-2019-8012 CVE-2019-8018 CVE-2019-8020 CVE-2019-8021 CVE-2019-8032 CVE-2019-8035 CVE-2019-8037 CVE-2019-8040 CVE-2019-8043 CVE-2019-8052 |
| Out-of-bounds write | Arbitrary code execution | Important | CVE-2019-8098
CVE-2019-8100 CVE-2019-7965 CVE-2019-8008 CVE-2019-8009 CVE-2019-8016 CVE-2019-8022 CVE-2019-8023 CVE-2019-8027 |
| Command injection | Arbitrary code execution | Important | CVE-2019-8060 |
| Use after free | Arbitrary code execution | Important | CVE-2019-8003
CVE-2019-8013 CVE-2019-8024 CVE-2019-8025 CVE-2019-8026 CVE-2019-8028 CVE-2019-8029 CVE-2019-8030 CVE-2019-8031 CVE-2019-8033 CVE-2019-8034 CVE-2019-8036 CVE-2019-8038 CVE-2019-8039 CVE-2019-8047 CVE-2019-8051 CVE-2019-8053 CVE-2019-8054 CVE-2019-8055 CVE-2019-8056 CVE-2019-8057 CVE-2019-8058 CVE-2019-8059 CVE-2019-8061 |
| Heap overflow | Arbitrary code execution | Important | CVE-2019-7832
CVE-2019-8014 CVE-2019-8015 CVE-2019-8041 CVE-2019-8042 CVE-2019-8046 CVE-2019-8049 CVE-2019-8050 |
| Buffer overflow | Arbitrary code execution | Important | CVE-2019-8048 |
| Double free | Arbitrary code execution | Important | CVE-2019-8044 |
| Integer overflow | Information disclosure | Important | CVE-2019-8099
CVE-2019-8101 |
| Internal IP disclosure | Important | CVE-2019-8097 | |
| Type confusion | Arbitrary code execution | Important | CVE-2019-8019 |
| Untrusted pointer dereference | Arbitrary code execution | Important | CVE-2019-8006
CVE-2019-8017 CVE-2019-8045 |
- Affected versions:
| Product | Affected Version | Platform |
| Adobe DC | <= 2019.012.20034 | macOS |
| Acrobat Reader DC | <= 2019.012.20034 | macOS |
| Adobe DC | <=2019.012.20035 | Windows |
| Acrobat Reader DC | <=2019.012.20035 | Windows |
Here, only affected versions of the Continuous series are listed. For affected versions of other series, see the official bulletin.
- Unaffected versions:
Acrobat DC Version == 2019.012.20036
Acrobat Reader DC Version == 2019.012.20036
For details about the vulnerability impact and remediation, refer to the security bulletin from the following link:
https://helpx.adobe.com/security/products/acrobat/apsb19-41.html
Adobe Creative Cloud Desktop Application
Adobe has released security updates for Adobe Creative Cloud Desktop Application that address four vulnerabilities listed in the following table:
Vulnerability details are as follows:
| Vulnerability Category | Vulnerability Impact | Severity Level | CVE ID |
| Insecure transmission of sensitive data | Information disclosure | Important | CVE-2019-8063 |
| Security policy bypass | Denial of service | Important | CVE-2019-7957 |
| Insecure privilege inheritance | Privilege escalation | Critical | CVE-2019-7958 |
| Use of components with a known vulnerability | Arbitrary code execution | Critical | CVE-2019-7959 |
- Affected versions:
Adobe Creative Cloud Desktop Application Version <= 4.6.1
- Unaffected versions:
Adobe Creative Cloud Desktop Application Version == 4.9
For details about the vulnerability impact and remediation, refer to the security bulletin from the following link:
https://helpx.adobe.com/security/products/creative-cloud/apsb19-39.html
Adobe Prelude CC
Adobe has released security updates for Adobe Prelude CC that address one vulnerability listed in the following table:
Vulnerability details are as follows:
| Vulnerability Category | Vulnerability Impact | Severity Level | CVE ID |
| Insecure library loading (DLL hijacking) | Arbitrary code execution | Important | CVE-2019-7961 |
- Affected versions:
Adobe Prelude CC 2019 Version <= 8.1
- Unaffected versions:
Adobe Prelude CC 2019 Version == 8.1.1
For details about the vulnerability impact and remediation, refer to the security bulletin from the following link:
https://helpx.adobe.com/security/products/prelude/apsb19-35.html
Adobe Premiere Pro CC
Adobe has released security updates for Adobe Premiere Pro CC that address one vulnerability listed in the following table:
Vulnerability details are as follows:
| Vulnerability Category | Vulnerability Impact | Severity Level | CVE ID |
| Insecure library loading (DLL hijacking) | Arbitrary code execution | Important | CVE-2019-7931 |
- Affected versions:
Adobe Premiere Pro CC 2019 Version <= 13.1.2
- Unaffected versions:
Adobe Premiere Pro CC 2019 Version == 13.1.3
For details on vulnerability impact and remediation, refer to the security bulletin at the following link:
https://helpx.adobe.com/security/products/premiere_pro/apsb19-33.html
Adobe Character Animator CC
Adobe has released a security update for Adobe Character Animator which addresses one vulnerability listed in the following table:
Vulnerability details are as follows:
| Vulnerability Category | Vulnerability Impact | Severity Level | CVE ID |
| Insecure library loading (DLL hijacking) | Arbitrary code execution | Important | CVE-2019-7870 |
- Affected versions:
Adobe Character Animator CC 2019 Version <= 2.1
- Unaffected versions:
Adobe Character Animator CC 2019 Version == 2.1.1
For details on vulnerability impact and remediation, refer to the security bulletin at the following link:
https://helpx.adobe.com/security/products/character_animator/apsb19-32.html
Adobe After Effects CC
Adobe has released security updates for Adobe After Effects CC that address one vulnerability listed in the following table:
Vulnerability details are as follows:
| Vulnerability Category | Vulnerability Impact | Severity Level | CVE ID |
| Insecure library loading (DLL hijacking) | Arbitrary code execution | Important | CVE-2019-8062 |
- Affected versions:
Adobe After Effects CC 2019 Version <= 16
- Unaffected versions:
Adobe After Effects CC 2019 Version == 16.1.2
For details on vulnerability impact and remediation, refer to the security bulletin at the following link:
https://helpx.adobe.com/security/products/after_effects/apsb19-31.html
Solution
Adobe has officially released security updates to fix the preceding vulnerabilities. Users are advised to update their installation to the latest versions as soon as possible.
For vulnerability details and remediation, please visit the preceding security bulletin links.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
