Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title flash-plugin security update
Informations
Name RHSA-2017:0057 First vendor Publication 2017-01-11
Vendor RedHat Last vendor Modification 2017-01-11
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An update for flash-plugin is now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64

3. Description:

The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

This update upgrades Flash Player to version 24.0.0.194.

Security Fix(es):

* This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content. (CVE-2017-2925, CVE-2017-2926, CVE-2017-2927, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931, CVE-2017-2932, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935, CVE-2017-2936, CVE-2017-2937, CVE-2017-2938)

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1411929 - CVE-2017-2925 CVE-2017-2926 CVE-2017-2927 CVE-2017-2928 CVE-2017-2930 CVE-2017-2931 CVE-2017-2932 CVE-2017-2933 CVE-2017-2934 CVE-2017-2935 CVE-2017-2936 CVE-2017-2937 CVE-2017-2938 flash-plugin: multiple code execution issues fixed in APSB17-02

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2017-0057.html

CWE : Common Weakness Enumeration

% Id Name
75 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
25 % CWE-416 Use After Free

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 447

Snort® IPS/IDS

Date Description
2017-02-21 Adobe Flash Player MP4 stsz atom memory corruption attempt
RuleID : 41343 - Revision : 2 - Type : FILE-MULTIMEDIA
2017-02-21 Adobe Flash Player MP4 stsz atom memory corruption attempt
RuleID : 41342 - Revision : 2 - Type : FILE-MULTIMEDIA
2017-02-14 Adobe Flash Player onSetFocus movie clip use after free attempt
RuleID : 41215 - Revision : 2 - Type : FILE-FLASH
2017-02-14 Adobe Flash Player onSetFocus movieclip use after free attempt
RuleID : 41214 - Revision : 2 - Type : FILE-FLASH
2017-02-14 Adobe Flash Player malformed PlaceObject3 memory corruption attempt
RuleID : 41208 - Revision : 2 - Type : FILE-FLASH
2017-02-14 Adobe Flash Player malformed PlaceObject3 memory corruption attempt
RuleID : 41207 - Revision : 2 - Type : FILE-FLASH
2017-02-10 Acrobat Flash FileReference class use-after-free memory corruption attempt
RuleID : 41166 - Revision : 1 - Type : FILE-FLASH
2017-02-10 Acrobat Flash FileReference class use-after-free memory corruption attempt
RuleID : 41165 - Revision : 1 - Type : FILE-FLASH
2017-02-10 Acrobat Flash FileReference class use-after-free memory corruption attempt
RuleID : 41161 - Revision : 1 - Type : FILE-FLASH
2017-02-10 Acrobat Flash FileReference class use-after-free memory corruption attempt
RuleID : 41160 - Revision : 1 - Type : FILE-FLASH
2017-02-10 Adobe Flash Player visual blend out of bounds read attempt
RuleID : 41159 - Revision : 2 - Type : FILE-FLASH
2017-02-10 Adobe Flash Player visual blend out of bounds read attempt
RuleID : 41158 - Revision : 2 - Type : FILE-FLASH
2017-02-10 Adobe Flash Player malformed ATF file length heap overflow attempt
RuleID : 41157 - Revision : 2 - Type : FILE-FLASH
2017-02-10 Adobe Flash Player malformed ATF file length heap overflow attempt
RuleID : 41156 - Revision : 2 - Type : FILE-FLASH
2017-02-10 Adobe Flash Player display list structure memory corruption attempt
RuleID : 41139 - Revision : 2 - Type : FILE-FLASH
2017-02-10 Adobe Flash Player display list structure memory corruption attempt
RuleID : 41138 - Revision : 2 - Type : FILE-FLASH
2016-07-19 Adobe Flash Player malformed ATF file length load buffer overflow attempt
RuleID : 39309 - Revision : 4 - Type : FILE-FLASH
2016-07-19 Adobe Flash Player malformed ATF file length load buffer overflow attempt
RuleID : 39308 - Revision : 4 - Type : FILE-FLASH
2016-07-19 Adobe Flash Player malformed ATF heap overflow attempt
RuleID : 39274 - Revision : 8 - Type : FILE-FLASH
2016-07-19 Adobe Flash Player malformed ATF heap overflow attempt
RuleID : 39273 - Revision : 8 - Type : FILE-FLASH
2016-04-12 Adobe Flash Player invalid FLV header out of bounds write attempt
RuleID : 38226 - Revision : 5 - Type : FILE-FLASH
2016-04-12 Adobe Flash Player invalid FLV header out of bounds write attempt
RuleID : 38225 - Revision : 5 - Type : FILE-FLASH

Nessus® Vulnerability Scanner

Date Description
2017-02-21 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201702-20.nasl - Type : ACT_GATHER_INFO
2017-01-12 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2017-71.nasl - Type : ACT_GATHER_INFO
2017-01-12 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2017-0057.nasl - Type : ACT_GATHER_INFO
2017-01-12 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2017-0108-1.nasl - Type : ACT_GATHER_INFO
2017-01-11 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_2a7bdc56d7a311e6ae1b002590263bf5.nasl - Type : ACT_GATHER_INFO
2017-01-10 Name : The remote Windows host has a browser plugin installed that is affected by mu...
File : flash_player_apsb17-02.nasl - Type : ACT_GATHER_INFO
2017-01-10 Name : The remote macOS or Mac OS X host has a browser plugin installed that is affe...
File : macosx_flash_player_apsb17-02.nasl - Type : ACT_GATHER_INFO
2017-01-10 Name : The remote Windows host has a browser plugin installed that is affected by mu...
File : smb_nt_ms17-003.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2017-01-13 13:24:47
  • Multiple Updates
2017-01-11 21:25:06
  • Multiple Updates
2017-01-11 13:23:39
  • First insertion