Critical Vulnerability Within Adobe Infrastructure Tool Ops-cli

Photo of Adobe Logo Onscreen

There have been a few instances recently involving open-source software vulnerabilities, as well as those pertaining to specific components that organize and manage cluster configurations e.g. Kubernetes. Sometimes, software vulnerabilities can arise that also affect data and database protection products that protect cluster configuration processes, which are deployed across AWS, Azure, and more. The critical software vulnerability this time is one affecting Adobe’s ops-cli, a rather new Adobe open-source component that is designed for boosting efficiency for cloud automation purposes. A critical software vulnerability was unearthed affecting this component, which may potentially lead to the complete compromise of a vulnerable system. Because the vulnerability can be exploited by a remote non-authenticated attacker via the internet, using earlier versions of Adobe ops-cli can be dangerous.

What is Adobe Ops-cli?

Adobe’s Ops-cli component is a Python (programming language) ‘wrapper‘ -powerful, useful tools also known as ‘decorators’ in the community that gives developers the ability to modify functions and classes in a software library or computer program. Adobe’s Ops-cli wrapper works with Terraform, Ansible and is designed for cloud computing automation. Wrappers or decorators are very useful because “they allow the extension of an existing function, without any modification to the original function source code.” The component is able to remove duplicated code and is very practical for multiple environments such as sandbox, stage, prod as well as across teams -meaning that it is an essential tool when it comes to Kubernetes and AWS deployments.

The Critical Software Vulnerability

Adobe’s Security Bulletin released a critical software vulnerability report on October 12th, 2021 that is related to the Adobe ops-cli component. The software vulnerability (CVE-2021-40720) affecting the component is a ‘Deserialization of Untrusted Data’ flaw.

Technical Details

The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to insecure input validation when processing serialized data, thus a remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system.

Vulnerable Software Versions

Version 2.0.4 and earlier are at risk. The complete list of the versions of Adobe’s ops-cli component that are vulnerable to the above risk is as follows;

ops-cli: 0.20, 0.21, 0.22, 0.23, 0.24, 0.25, 0.26, 0.27, 0.28, 0.29, 0.30, 0.31, 0.32, 0.33, 0.34, 0.35, 0.36, 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.11.8, 1.11.9, 1.11.10, 1.11.11, 1.11.12, 1.12.0, 1.12.1, 1.12.2, 2.0.3, 2.0.4

Important User Information

Developers and programmers need to know that a fix has been released that mitigates the critical vulnerability risk. Updating to ops-cli release 2.0.5 will mitigate any outstanding security issues.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.