Adobe and VMWare pushed out a critical out-of-band updates for After Effects and vRealize Operations for Horizon Adapter which if exploited could lead to arbitrary code execution.
The Adobe issue, CVE-2020-3765, is an out-of-bounds write vulnerability affecting After Effects version 16.1.2 and earlier versions for Windows. Adobe is recommending that Admin’s update to version 17.0.3 through its Creative Cloud desktop app’s update mechanism.
This comes one week after Adobe’s usual Patch Tuesday offering on February 12 that impacted Flash Player, Framemaker, Reader and Reader DC, Digital Edition and Experience Manager.
VMWare’s update covered the critical CVE-2020-3943, CVE-2020-3944 and CVE-2020-3945. The fix for all three flaws has been posted.
CVE-2020-3943 covers a JMX RMI service which is not securely configured that could allow unauthenticated remote attacker who has network access to vRealize Operations, with the Horizon Adapter running to execute code.
CVE-2020-3944 handles an improper trust store configuration leading to authentication bypass which could let An unauthenticated remote attacker with network access to vRealize Operations, with the Horizon Adapter running, to bypass Adapter authentication.
CVE-2020-3945 is an information disclosure vulnerability due to incorrect pairing implementation between the vRealize Operations for Horizon Adapter and Horizon View. As with the previous two vulnerabilities an unauthenticated person with access to vRealize Operations, with the Horizon Adapter running may obtain data which then can be used to bypass the adapter authentication mechanism.