[Japanese]

JVNDB-2012-000079

Adobe Reader fails to properly handle signatures

Overview

Adobe Reader fails to properly handle RSA signatures.

Adobe Reader contains an issue where it may fail to properly verify RSA signatures.

Masahiko Takenaka of FUJITSU LABORATORIES LTD. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Adobe Systems, Inc.
  • Adobe Reader 8.x and earlier
Hitachi, Ltd
  • Cosminexus Application Server Enterprise Version 6
  • Cosminexus Application Server Standard Version 6
  • Cosminexus Application Server Version 5
  • Cosminexus Developer Light Version 6
  • Cosminexus Developer Professional Version 6
  • Cosminexus Developer Standard Version 6
  • Cosminexus Developer Version 5
  • Cosminexus Server - Enterprise Edition
  • Cosminexus Server - Standard Edition
  • Cosminexus Server - Standard Edition Version 4
  • Cosminexus Server - Web Edition
  • Cosminexus Server - Web Edition Version 4
  • Hitachi Web Server
  • uCosminexus Application Server Enterprise
  • uCosminexus Application Server Standard
  • uCosminexus Developer Professional
  • uCosminexus Developer Light
  • uCosminexus Developer Standard
  • uCosminexus Service Architect
  • uCosminexus Service Platform

Please refer to HS07-034 provided by Hitachi for more details.
Impact

An attacker may be able to forge an RSA signature on a PDF document.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.

Note that this issue was resolved in Adobe Reader 9.
Vendor Information

Adobe Systems, Inc. Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS07-034
CWE (What is CWE?)

  1. Credentials Management(CWE-255) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2006-4339
References

  1. JVN : JVN#51615542
  2. National Vulnerability Database (NVD) : CVE-2006-4339
  3. US-CERT Vulnerability Note : US-CERT Vulnerability Note VU#845620
Revision History

  • [2012/08/30]
      Web page was published
    [2014/05/23]
      Affected Products : Products were added
      Vendor Information : Content was added