Adobe and VMWare pushed out a critical out-of-band updates for After Effects and vRealize Operations for Horizon Adapter which if exploited could lead to arbitrary code execution.
issue, CVE-2020-3765, is an out-of-bounds write vulnerability affecting After
Effects version 16.1.2 and earlier versions for Windows. Adobe is recommending
that Admin’s update to version 17.0.3 through its Creative Cloud desktop app’s
This comes one week after Adobe’s usual Patch Tuesday offering on February 12 that impacted Flash Player, Framemaker, Reader and Reader DC, Digital Edition and Experience Manager.
VMWare’s update covered
the critical CVE-2020-3943, CVE-2020-3944 and CVE-2020-3945. The fix for all
three flaws has been posted.
CVE-2020-3943 covers a
JMX RMI service which is not securely configured that could allow
unauthenticated remote attacker who has network access to vRealize Operations,
with the Horizon Adapter running to execute code.
CVE-2020-3944 handles an
improper trust store configuration leading to authentication bypass which could
let An unauthenticated remote attacker with network access to vRealize
Operations, with the Horizon Adapter running, to bypass Adapter authentication.
CVE-2020-3945 is an
information disclosure vulnerability due to incorrect pairing implementation
between the vRealize Operations for Horizon Adapter and Horizon View. As with
the previous two vulnerabilities an unauthenticated person with access to vRealize
Operations, with the Horizon Adapter running may obtain data which then can be
used to bypass the adapter authentication mechanism.