Adobe has provided security updates for five products. The updates eliminate 18 security vulnerabilities, most of which are classified as critical.
Adobe again provided important security updates at Patch Day in May. The manufacturer eliminates 18 security gaps in five programs, almost all of which it has identified as critical. Affected are Framemaker, InDesign, InCopy, Character Animator and ColdFusion. Matt Powell, a security researcher at Trend Micro ZDI, discovered 17 of the 18 vulnerabilities and reported them to Adobe. According to Adobe, none of the vulnerabilities have been used for attacks so far.
In
framemaker
Matt Powell found ten vulnerabilities (CVE-2022-28821 to -28830) in 2019 to Update 8 and Framemaker 2020 to Update 4 for Windows. Adobe classifies nine of these vulnerabilities as critical because they could allow an attacker to inject and execute arbitrary code. To fill the gaps, Adobe has provided hotfix packages with corrected DLLs (program libraries) for the FrameMaker versions mentioned. Affected users have to unpack the ZIP file after downloading, copy the new DLLs to the installation directory themselves, overwriting the old files.
InDesign
up to and including versions 16.4.1 and 17.1 for Windows and macOS have three critical vulnerabilities (CVE-2022-28831 to -28833) that Adobe has now closed. All three are suitable for injecting and executing any code (RCE: Remote Code Execution). This can be remedied by updates to the new versions InDesign 16.4.2 and 17.2 for Windows and macOS.
▶The latest security updates
Also in
InCopy
Up to and including versions 16.4.1 and 17.1 for Windows and macOS, Matt Powell has discovered three RCE vulnerabilities (CVE-2022-28834 to -28836) that Adobe classifies as critical. Here, too, updates to the new versions InDesign 16.4.2 and 17.2 for Windows and macOS are the solution.
In
Character Animator
2021 up to and including version 4.4.2 and Character Animator 2022 up to and including version 22.3 for Windows and macOS there is only one critical gap to be filled. The RCE vulnerability CVE-2022-28819 is fixed by updates to Character Animator 2021 4.4.7 and Character Animator 2022 22.4.
The only vulnerability not discovered by Matt Powell affects
ColdFusion
2018 up to update 13 and ColdFusion 2021 up to version 3. Adobe identifies the RCE vulnerability CVE-2022-28818 as high risk. Adobe fixed the vulnerability in ColdFusion 2018 Update 14 and ColdFusion 2021 Update 4. The manufacturer also points out that a server is only secure if Java (JDK/JRE) is also up to date. Oracle last provided security updates for Java in April.
The current Adobe Security Bulletins can be found on the manufacturer’s website.
