CVE-2021-45057 – Adobe InDesign versions 16.4 and earlier contai... (How to Fix)

Q: What is the severity of CVE-2021-45057?

CVE-2021-45057 has a CVSS score of 7.8 (HIGH). Adobe InDesign versions 16.4 and earlier contain an out-of-bounds write vulnerability in JPEG2000 file parsing. Attackers can exploit this by tricking users into opening malicious JPEG2000 files, potentially leading to arbitrary code execution with the victim's privileges. This affects all users running vulnerable versions of Adobe InDesign.

📋 TL;DR

Adobe InDesign versions 16.4 and earlier contain an out-of-bounds write vulnerability in JPEG2000 file parsing. Attackers can exploit this by tricking users into opening malicious JPEG2000 files, potentially leading to arbitrary code execution with the victim's privileges. This affects all users running vulnerable versions of Adobe InDesign.

💻 Affected Systems

Products:

Adobe InDesign

Versions: 16.4 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable when processing JPEG2000 files.

📦 What is this software?

Indesign by Adobe

View all CVEs affecting Indesign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation leading to user account compromise, data exfiltration, or malware installation.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only causing application crashes.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open malicious files, not directly network exploitable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open malicious JPEG2000 files. No public exploit code has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.4.1 and later

Vendor Advisory: https://helpx.adobe.com/security/products/indesign/apsb22-05.html

Restart Required: Yes

Instructions:

1. Open Adobe InDesign. 2. Go to Help > Updates. 3. Install available updates to version 16.4.1 or later. 4. Restart the application.

🔧 Temporary Workarounds

Block JPEG2000 file extensions

all

Prevent opening of JPEG2000 files via file extension blocking

Disable JPEG2000 file association

all

Remove file association for JPEG2000 files in operating system settings

🧯 If You Can't Patch

Restrict user privileges to standard user accounts (not administrator)
Implement application sandboxing or virtualization for InDesign usage

🔍 How to Verify

Check if Vulnerable:

Check InDesign version via Help > About InDesign. If version is 16.4 or earlier, system is vulnerable.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify InDesign version is 16.4.1 or later via Help > About InDesign.

📡 Detection & Monitoring

Log Indicators:

Application crashes when opening JPEG2000 files
Unexpected child processes spawned from InDesign

Network Indicators:

Unusual outbound connections from InDesign process

SIEM Query:

Process creation events from indesign.exe with suspicious command line arguments or child processes

📊 Metadata

CVE ID: CVE-2021-45057

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: January 13, 2022

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/indesign/apsb22-05.html Vendor Advisory
https://helpx.adobe.com/security/products/indesign/apsb22-05.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45057, you might also want to check these: