13 abril, 2022

9VSA22-00619-01 CSIRT alerta de vulnerabilidades críticas en productos Adobe

Resumen

El Equipo de Respuesta ante Incidentes de Seguridad Informática del Gobierno de Chile, CSIRT de Gobierno, comparte nuevas vulnerabilidades comunicadas por Adobe para algunos de sus productos.

Este informe incluye las medidas de mitigación, consistentes en instalar la última actualización de los productos afectados.

Vulnerabilidades

CVE-2022-24093

CVE-2022-24101

CVE-2022-24103

CVE-2022-24104

CVE-2022-27785

CVE-2022-24102

CVE-2022-27783

CVE-2022-27784

CVE-2022-27786

CVE-2022-27787

CVE-2022-27788

CVE-2022-27789

CVE-2022-27790

CVE-2022-27791

CVE-2022-27792

CVE-2022-27793

CVE-2022-27794

CVE-2022-27795

CVE-2022-27796

CVE-2022-27797

CVE-2022-27798

CVE-2022-27799

CVE-2022-27800

CVE-2022-27801

CVE-2022-27802

CVE-2022-28230

CVE-2022-28231

CVE-2022-28232

CVE-2022-28233

CVE-2022-28234

CVE-2022-28235

CVE-2022-28236

CVE-2022-28237

CVE-2022-28238

CVE-2022-28239

CVE-2022-28240

CVE-2022-28241

CVE-2022-28242

CVE-2022-28243

CVE-2022-28244

CVE-2022-28245

CVE-2022-28246

CVE-2022-28247

CVE-2022-28248

CVE-2022-28249

CVE-2022-28250

CVE-2022-28251

CVE-2022-28252

CVE-2022-28253

CVE-2022-28254

CVE-2022-28255

CVE-2022-28256

CVE-2022-28257

CVE-2022-28258

CVE-2022-28259

CVE-2022-28260

CVE-2022-28261

CVE-2022-28262

CVE-2022-28263

CVE-2022-28264

CVE-2022-28265

CVE-2022-28266

CVE-2022-28267

CVE-2022-28268

CVE-2022-28269

CVE-2022-28270

CVE-2022-28271

CVE-2022-28272

CVE-2022-28273

CVE-2022-28274

CVE-2022-28275

CVE-2022-28276

CVE-2022-28277

CVE-2022-28278

CVE-2022-28279

CVE-2022-24105

CVE-2022-24098

CVE-2022-23205

Impacto

Vulnerabilidades calificadas como de riesgo crítico:

CVE-2022-24093: Vulnerabilidad de ejecución arbitraria de código en Magento Open Source y Adobe Commerce, debido a una validación inapropiada de inputs.

CVE-2022-28270, CVE-2022-28272, CVE-2022-28273, CVE-2022-28274, CVE-2022-28275, CVE-2022-28276, CVE-2022-2827, CVE-2022-28278, CVE-2022-24105 y CVE-2022-23205: Vulnerabilidades de ejecución remota de código, debido a un error de escritura fuera de los límites de la memoria, que afectan a Photoshop.

CVE-2022-28271 y CVE-2022-28279: Vulnerabilidad de ejecución arbitraria de código en Photoshop, debido a errores de uso de memoria luego de ser liberada.

CVE-2022-24098: Vulnerabilidad de ejecución arbitraria de código en Photoshop, debido a una validación inapropiada de inputs.

CVE-2022-24103, CVE-2022-24104, CVE-2022-27785, CVE-2022-24102, CVE-2022-27786, CVE-2022-27789, CVE-2022-27790, CVE-2022-27799, CVE-2022-27800, CVE-2022-27801, CVE-2022-27802, CVE-2022-28230, CVE-2022-28232 y CVE-2022-28233, CVE-2022-27795, CVE-2022-27796, CVE-2022-27797, CVE-2022-28235, CVE-2022-28237, CVE-2022-28238, CVE-2022-28240 y CVE-2022-28242: Vulnerabilidades de ejecución arbitraria de código en Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, Acrobat Reader 2017, debido a errores de uso de memoria luego de ser liberada.

CVE-2022-27787, CVE-2022-27788, CVE-2022-27792, CVE-2022-27793, CVE-2022-27798, CVE-2022-28231, CVE-2022-28236, CVE-2022-28239, CVE-2022-28241 y CVE-2022-28243: Vulnerabilidades de ejecución arbitraria de código en Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, Acrobat Reader 2017, debido a un error de escritura fuera de los límites de la memoria.

CVE-2022-27791 y CVE-2022-28234: Vulnerabilidades de ejecución arbitraria de código en Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, Acrobat Reader 2017, debido a un error de desbordamiento de buffer basado en lotes.

CVE-2022-27794: Vulnerabilidades de ejecución arbitraria de código en Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, Acrobat Reader 2017, debido a un error de tipo “Access of uninitialized pointer”.

Productos afectados

Adobe Commerce 2.4.3-p1 y anteriores, 2.3.7-p2  y anteriores.

Magento Open Source 2.4.3-p1 y anteriores, 2.3.7-p2  y anteriores.

Acrobat DC 22.001.20085 y anteriores.

Acrobat Reader DC 22.001.20085 y anteriores.

Acrobat 2020 20.005.30314 y anteriores (Windows)

Acrobat 2020 20.005.30311 y anteriores (macOS)

Acrobat Reader 2020 20.005.30314 y anteriores (Windows)

Acrobat Reader 2020 20.005.30311 y anteriores (macOS)

Acrobat 2017 17.012.30205 y anteriores.

Acrobat Reader 2017 17.012.30205 y anteriores.

Photoshop 2021 versión 22.5.6 y anteriores.

Photoshop 2022 versión 23.2.2 y anteriores.

Adobe After Effects 22.2.1 y anteriores, 18.4.5 y anteriores.

Mitigación

Instalar las respectivas actualizaciones entregadas por el proveedor.

Enlaces

https://helpx.adobe.com/security/products/magento/apsb22-13.html

https://helpx.adobe.com/security/products/acrobat/apsb22-16.html

https://helpx.adobe.com/security/products/after_effects/apsb22-19.html

https://helpx.adobe.com/security/products/photoshop/apsb22-20.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24093

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24101

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24103

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24104

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27785

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24102

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27783

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27784

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27786

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27787

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27788

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27789

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27790

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27791

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27792

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27793

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27794

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27795

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27796

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27797

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27798

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27799

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27800

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27801

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27802

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28230

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28231

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28232

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28233

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28234

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28235

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28236

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28236

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28238

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28239

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28240

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28241

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28242

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28243

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28244

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28245

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28246

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28247

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28248

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28249

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28250

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28251

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28252

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28253

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28254

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28255

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28256

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28257

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28258

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28259

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28260

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28261

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28262

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28263

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28264

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28265

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28266

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28267

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28268

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28269

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28270

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28271

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28272

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28273

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28274

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28275

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28276

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28277

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28278

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28279

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24105

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24098

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23205

Informe

El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 9VSA22-00619-01.

9VSA22-00619-01 CSIRT alerta de vulnerabilidades críticas en productos Adobe