Show vulnerabilities with patch / with exploit

SUSE Linux update for flash-player



Published: 2016-05-16
Severity Critical
Patch available YES
Number of vulnerabilities 49
CVE ID CVE-2016-1006
CVE-2016-1011
CVE-2016-1012
CVE-2016-1013
CVE-2016-1014
CVE-2016-1015
CVE-2016-1016
CVE-2016-1017
CVE-2016-1018
CVE-2016-1019
CVE-2016-1020
CVE-2016-1021
CVE-2016-1022
CVE-2016-1023
CVE-2016-1024
CVE-2016-1025
CVE-2016-1026
CVE-2016-1027
CVE-2016-1028
CVE-2016-1029
CVE-2016-1030
CVE-2016-1031
CVE-2016-1032
CVE-2016-1033
CVE-2016-1096
CVE-2016-1097
CVE-2016-1098
CVE-2016-1099
CVE-2016-1100
CVE-2016-1101
CVE-2016-1102
CVE-2016-1103
CVE-2016-1104
CVE-2016-1105
CVE-2016-1106
CVE-2016-1107
CVE-2016-1108
CVE-2016-1109
CVE-2016-1110
CVE-2016-4108
CVE-2016-4109
CVE-2016-4110
CVE-2016-4111
CVE-2016-4112
CVE-2016-4113
CVE-2016-4114
CVE-2016-4115
CVE-2016-4116
CVE-2016-4117
CWE ID CWE-264
CWE-119
CWE-426
CWE-843
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #4 is available.
Vulnerability #10 is being exploited in the wild.
Public exploit code for vulnerability #25 is available.
Public exploit code for vulnerability #30 is available.
Public exploit code for vulnerability #31 is available.
Public exploit code for vulnerability #32 is available.
Public exploit code for vulnerability #33 is available.
Public exploit code for vulnerability #34 is available.
Public exploit code for vulnerability #35 is available.
Public exploit code for vulnerability #40 is available.
Vulnerability #49 is being exploited in the wild.
Vulnerable software
Subscribe
Adobe Flash Player
Client/Desktop applications / Plugins for browsers, ActiveX components

Adobe Flash Player Extended Support Release
Client/Desktop applications / Multimedia software

Adobe AIR
Client/Desktop applications / Multimedia software

Adobe Flash Player for Linux
Client/Desktop applications / Multimedia software

Vendor Adobe

Security Advisory

1) Security bypass

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1006

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, conduct a JIT spraying attack and bypass memory layout randomization mitigations.

Successful exploitation of this vulnerability results in security bypass on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) “Use-after-free” error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1011

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1012

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) “Use-after-free” error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1013

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Untrusted Search Path

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1014

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error in the directory search path used to find resources when handling .swf files. A remote attacker can create a specially crafted .swf file, place it with malicious .dll on remote SMB or WebDav share, trick the victim into opening Flash file it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Type confusion

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1015

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confussion error within the NetConnection objects. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1016

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1017

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Stack-based buffer overflow

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1018

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow when handling JPEG-XR files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Type confusion

Severity: Critical

CVSSv3: 8.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1019

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error when handling .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Note: the vulnerability was being actively exploited.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

11) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1020

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1021

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1022

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1023

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1024

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1025

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1026

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1027

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1028

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1029

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Security bypass

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1030

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access controls. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass security mechanism and gain access to the affected system.

Successful exploitation of this vulnerability results in security bypass on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1031

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1032

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1033

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Memory corruption

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1096

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

26) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1097

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1098

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1099

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1100

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Heap-based buffer overflow

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1101

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

31) Memory corruption

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1102

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

32) Buffer overflow

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1103

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

33) Memory corruption

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1104

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

34) Type confusion

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1105

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

35) “Use-after-free” error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1106

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

36) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1107

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1108

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1109

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1110

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Use-after-free error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4108

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

41) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4109

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

42) Use-after-free error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4110

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4111

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4112

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4113

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4114

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4115

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Untrusted search path

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4116

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error in the directory search path used to find resources. A remote attacker can create a specially crafted .swf file, locate it on WebDav or SMB share, trick the victim into opening it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Type confusion

Severity: Critical

CVSSv3: 8.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4117

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Note: the vulnerability was being actively exploited.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.