Vulnerability Name: CVE-2009-2979 (CCN-53763) Assigned: 2009-10-13 Published: 2009-10-13 Updated: 2018-10-30 Summary: Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 do not properly perform XMP-XML entity expansion, which allows remote attackers to cause a denial of service via a crafted document. Per: http://www.adobe.com/support/security/bulletins/apsb09-15.html
Critical vulnerabilities have been identified in Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. This update represents the second quarterly security update for Adobe Reader and Acrobat.
Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: Windows, Macintosh and UNIX.
Affected software versions
Adobe Reader 9.1.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.1.3 and earlier versions for Windows and Macintosh Per: http://www.adobe.com/support/security/bulletins/apsb09-15.html
Solution
Adobe Reader
Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
Adobe Reader users on UNIX can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.
Acrobat
Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.
Acrobat Pro Extended users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh. CVSS v3 Severity: 7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P )3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
7.1 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C )5.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Complete
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P )3.2 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
Vulnerability Type: CWE-Other Vulnerability Consequences: Denial of Service References: Source: MITRE Type: CNACVE-2009-2979 Source: CCN Type: RHSA-2009-1499Critical: acroread security update Source: CCN Type: SECTRACK ID: 1023007Adobe Acrobat and Adobe Reader Flaws Lets Remote Users Execute Arbitrary Code and Deny Service Source: SECTRACK Type: UNKNOWN1023007 Source: CCN Type: Sun Alert: 270669Multiple Security Vulnerabilities in Adobe Reader for Solaris 10 May Allow Execution of Arbitrary Code or Cause Denial of Service (DoS) - Adobe Security Bulletin APSB09-15 Source: CCN Type: Adobe Product Security Bulletin APSB09-15Security Advisory for Adobe Reader and Acrobat Source: CONFIRM Type: Patch, Vendor Advisoryhttp://www.adobe.com/support/security/bulletins/apsb09-15.html Source: CCN Type: GLSA-200910-03Adobe Reader: Multiple vulnerabilities Source: CCN Type: OSVDB ID: 58921Adobe Reader / Acrobat XMP-XML Entity Expansion Unspecified DoS Source: BID Type: UNKNOWN36638 Source: CCN Type: BID-36638RETIRED: Adobe Reader and Acrobat October 2009 Multiple Remote Vulnerabilities Source: CCN Type: BID-36686Adobe Reader and Acrobat XMP-XML Entity Expansion Denial of Service Vulnerability Source: CERT Type: Patch, US Government ResourceTA09-286B Source: VUPEN Type: Patch, Vendor AdvisoryADV-2009-2898 Source: XF Type: UNKNOWNadobe-xmpxml-dos(53763) Source: OVAL Type: UNKNOWNoval:org.mitre.oval:def:6280 Source: SUSE Type: SUSE-SA:2009:049Acrobat Reader Security update Vulnerable Configuration: Configuration 1 :cpe:/a:adobe:acrobat:7.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.2:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.4:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.5:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.6:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.7:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.8:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.9:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.1.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.1.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.1.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1.2:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1.4:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1.6:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:9.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:9.1.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:9.1.2:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:*:*:*:*:*:*:*:* (Version <= 9.1.3) Configuration 2 :cpe:/a:adobe:acrobat_reader:7.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.0.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.0.2:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.0.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.0.4:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.0.5:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.0.6:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.0.7:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.0.8:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.0.9:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.1.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.1.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:7.1.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:8.1.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat_reader:*:*:*:*:*:*:*:* (Version <= 9.1.3) Configuration RedHat 1 :cpe:/a:redhat:rhel_extras:3:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:* Configuration RedHat 3 :cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:adobe:acrobat:7.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:3.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:3.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:4.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:4.0.5:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:4.0.5a:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:4.0.5c:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:5.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:5.0.10:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:5.0.5:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:5.0.6:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:6.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:6.0.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:6.0.2:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:6.0.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:6.0.4:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:6.0.5:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.2:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.4:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.5:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.6:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.7:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.8:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.0.9:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:9:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1.2:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:7.0.1:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:7.0.2:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:7.0.3:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:7.0.5:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:7.0.7:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:7.0.8:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:7.0.9:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:8.1.1:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:9.0:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:7.1.0:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:8.1.2:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:7.1.1:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:8.1.4:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:9.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:9.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:9.1.1:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:9.0.0:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1.4:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:9.1.2:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:9.1.2:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:9.1.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:7.1.3:*:*:*:*:*:*:* OR cpe:/a:adobe:acrobat:8.1.6:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:3.0:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:4.0:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:4.0.5:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:4.0.5a:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:4.0.5c:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:4.5:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:5.0:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:5.0.10:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:5.0.11:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:5.0.5:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:6.0:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:5.1:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:5.0.9:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:5.0.7:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:5.0.6:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:6.0.5:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:6.0.4:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:6.0.3:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:6.0.2:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:6.0.1:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:7.1.3:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:9.1.3:*:*:*:*:*:*:* OR cpe:/a:adobe:reader:8.1.6:*:*:*:*:*:*:* AND cpe:/o:gentoo:linux:*:*:*:*:*:*:*:* OR cpe:/o:sun:solaris:10::sparc:*:*:*:*:* OR cpe:/a:redhat:rhel_extras:3:*:*:*:*:*:*:* OR cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:* OR cpe:/o:opensuse:opensuse:10.3:*:*:*:*:*:*:* OR cpe:/o:opensuse:opensuse:11.0:*:*:*:*:*:*:* Denotes that component is vulnerable Oval Definitions BACK
adobe acrobat 7.0
adobe acrobat 7.0.1
adobe acrobat 7.0.2
adobe acrobat 7.0.3
adobe acrobat 7.0.4
adobe acrobat 7.0.5
adobe acrobat 7.0.6
adobe acrobat 7.0.7
adobe acrobat 7.0.8
adobe acrobat 7.0.9
adobe acrobat 7.1.0
adobe acrobat 7.1.1
adobe acrobat 7.1.3
adobe acrobat 8.0
adobe acrobat 8.1
adobe acrobat 8.1.1
adobe acrobat 8.1.2
adobe acrobat 8.1.3
adobe acrobat 8.1.4
adobe acrobat 8.1.6
adobe acrobat 9.0
adobe acrobat 9.1.1
adobe acrobat 9.1.2
adobe acrobat *
adobe acrobat reader 7.0
adobe acrobat reader 7.0.1
adobe acrobat reader 7.0.2
adobe acrobat reader 7.0.3
adobe acrobat reader 7.0.4
adobe acrobat reader 7.0.5
adobe acrobat reader 7.0.6
adobe acrobat reader 7.0.7
adobe acrobat reader 7.0.8
adobe acrobat reader 7.0.9
adobe acrobat reader 7.1.0
adobe acrobat reader 7.1.1
adobe acrobat reader 7.1.3
adobe acrobat reader 8.0
adobe acrobat reader 8.1
adobe acrobat reader 8.1.1
adobe acrobat reader 8.1.2
adobe acrobat reader 8.1.3
adobe acrobat reader 8.1.4
adobe acrobat reader 8.1.5
adobe acrobat reader 8.1.6
adobe acrobat reader 9.0
adobe acrobat reader 9.1
adobe acrobat reader 9.1.1
adobe acrobat reader 9.1.2
adobe acrobat reader *
adobe acrobat 7.0
adobe acrobat 7.0.1
adobe acrobat 3.0
adobe acrobat 3.1
adobe acrobat 4.0
adobe acrobat 4.0.5
adobe acrobat 4.0.5a
adobe acrobat 4.0.5c
adobe acrobat 5.0
adobe acrobat 5.0.10
adobe acrobat 5.0.5
adobe acrobat 5.0.6
adobe acrobat 6.0
adobe acrobat 6.0.1
adobe acrobat 6.0.2
adobe acrobat 6.0.3
adobe acrobat 6.0.4
adobe acrobat 6.0.5
adobe acrobat 7.0.2
adobe acrobat 7.0.3
adobe acrobat 7.0.4
adobe acrobat 7.0.5
adobe acrobat 7.0.6
adobe acrobat 7.0.7
adobe acrobat 7.0.8
adobe acrobat 7.0.9
adobe acrobat 8.1
adobe acrobat 8.1.1
adobe acrobat 9
adobe acrobat 8.1.2
adobe reader 7.0.1
adobe reader 7.0.2
adobe reader 7.0.3
adobe reader 7.0.5
adobe reader 7.0.7
adobe reader 7.0.8
adobe reader 7.0.9
adobe reader 8.1.1
adobe reader 9.0
adobe reader 7.1.0
adobe reader 8.1.2
adobe reader 7.1.1
adobe reader 8.1.4
adobe reader 9.1
adobe acrobat 9.1
adobe acrobat 9.1.1
adobe acrobat 9.0.0
adobe acrobat 8.1.3
adobe acrobat 8.1.4
adobe acrobat 9.1.2
adobe reader 9.1.2
adobe acrobat 9.1.3
adobe acrobat 7.1.3
adobe acrobat 8.1.6
adobe reader 3.0
adobe reader 4.0
adobe reader 4.0.5
adobe reader 4.0.5a
adobe reader 4.0.5c
adobe reader 4.5
adobe reader 5.0
adobe reader 5.0.10
adobe reader 5.0.11
adobe reader 5.0.5
adobe reader 6.0
adobe reader 5.1
adobe reader 5.0.9
adobe reader 5.0.7
adobe reader 5.0.6
adobe reader 6.0.5
adobe reader 6.0.4
adobe reader 6.0.3
adobe reader 6.0.2
adobe reader 6.0.1
adobe reader 7.1.3
adobe reader 9.1.3
adobe reader 8.1.6
gentoo linux *
sun solaris 10
redhat rhel extras 3
redhat rhel extras 4
novell opensuse 10.3
novell opensuse 11.0