Adobe has released 59 patches to correct flaws across its product range on September 2021 Patch Tuesday, with 15 products receiving updates this month. 36 of the vulnerabilities have been rated critical and allow remote execution of arbitrary code.
Several of the patches have been given a priority rating of 2, which means there is an elevated risk of the flaws being exploited in the wild. While there have been no known cases of exploitation of any of the flaws at the time of releasing the patches, users of affected Adobe products are advised to apply the updates as soon as possible, especially users of products that are often targeted by hackers, such as Adobe Acrobat and Adobe Reader. It is those two products that have received the highest number of fixes this month. 26 of the month’s 59 patches are for Adobe Acrobat/Adobe Reader, and 13 of those flaws have been rated critical. The bugs range in severity from 3.3 to 8.8 on the CVSS scale.
Adobe Framemaker gets 8 patches to fix 4 bugs rated critical, 3 rated important, and 1 rated moderate. The most serious flaw is an access of memory location after end of buffer issue that can lead to arbitrary code execution. The flaw is rated 8.8/10, with the remaining flaws ranging in severity from 3.3 to 7.8.
Adobe Premiere Elements gets fixes for 5 critical and one important flaw, all of which can lead to arbitrary code execution. The most serious flaw has a severity score of 8.8 out of 10. The remaining flaws range in severity from 5.5 to 7.8. Adobe Experience Manager gets fixes for four vulnerabilities, three of which are rated important (CVSS 5.9-6.5) and there is one critical RCE vulnerability with a severity score of 7.5
Three critical code execution flaws have been fixed in Adobe InDesign, two of which are rated 7.8, with the most serious rated 8.8. Adobe Creative Cloud Desktop Application has one critical bug patched with a severity score of 7.0, and two critical flaws have been addressed in Adobe ColdFusion, both of which have a severity score of 7.4/10. Adobe Photoshop receives a single patch to address a critical vulnerability that can lead to remote code execution, with a CVSS score of 7.8.
Adobe SVG-Native-Viewer and Adobe Premiere Pro have both had one critical vulnerability fixed that has been given a 7.8 CVSS severity score. Adobe InCopy gets fixes for three critical flaws, two with a CVSS severity score of 7.8 and one arbitrary file system write bug rated 8.8. Adobe Photoshop Elements only gets one patch, but it is a serious out-of-bounds write RCE flaw with a severity score of 8.8.
Adobe Digital Editions gets fixes for two critical vulnerabilities and one important vulnerability. The critical flaws are an arbitrary file system write bug (CVSS 7.8) and an RCE flaw (CVSS 8.6). The important privilege escalation bug has a severity score of 5.8. Adobe Genuine Service has been patched to fix a critical privilege escalation flaw with a severity rating of 7.3. Adobe XMP Toolkit SDK has an arbitrary file system read vulnerability fixed that is rated important (CVSS 5.5)