Bulletin ID
Last updated on
May 16, 2021
|
Also applies to Adobe Connect
Security updates available for Adobe Connect | APSB17-35
|
|
Date Published |
Priority |
|---|---|---|
|
APSB17-35 |
November 14, 2017 |
3 |
Summary
Adobe has released a security update for Adobe Connect. This update resolves a critical Server-Side Request Forgery (SSRF) vulnerability (CVE-2017-11291) that could be abused to bypass network access controls. This update also resolves three input validation vulnerabilities rated Important (CVE-2017-11287, CVE-2017-11288, CVE-2017-11289) that could be used in reflected cross-site scripting attacks. Finally, this update includes a feature that enables Connect administrators to protect users from UI redressing (or clickjacking) attacks (CVE-2017-11290).
Affected product versions
|
Product |
Version |
Platform |
|---|---|---|
|
Adobe Connect |
9.6.2 and earlier |
All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:
|
Product |
Version |
Platform |
Priority |
Availability |
|---|---|---|---|---|
|
Adobe Connect |
9.7 |
All |
3 |
Note:
Adobe Connect 9.7 rolls out in following phases:
Hosted services: Starting November 10, 2017; check the migration schedule for your account here.
On-premise deployments: Starting November 17, 2017
Managed services: Contact your Adobe Connect managed services representative to schedule your update.
Vulnerability details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
CVE Number |
|---|---|---|---|
|
Server-Side Request Forgery (SSRF) |
Network access control bypass |
Critical |
CVE-2017-11291 |
|
Reflected Cross-site Scripting |
Information disclosure |
Important |
CVE-2017-11287 |
|
Reflected Cross-site Scripting |
Information disclosure |
Important |
CVE-2017-11288 |
|
Reflected Cross-site Scripting |
Information disclosure |
Important |
CVE-2017-11289 |
|
UI Redress (or Clickjacking) |
Information disclosure |
Important |
CVE-2017-11290 |
Acknowledgments
Adobe would like to thank the following individuals for reporting these issues and for working with Adobe to help protect our customers:
- Adam Willard of Blue Canopy (CVE-2017-11289)
- Alexis Laborier (CVE-2017-11287)
- Pedro Cardoso (CVE-2017-11288)
- Deniz CEVIK from Biznet Bilisim A.S (CVE-2017-11291)
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online