Show vulnerabilities with patch / with exploit

OpenSUSE Linux update for flash-player



Published: 2016-05-17
Severity Critical
Patch available YES
Number of vulnerabilities 25
CVE ID CVE-2016-1006
CVE-2016-1011
CVE-2016-1012
CVE-2016-1013
CVE-2016-1014
CVE-2016-1015
CVE-2016-1016
CVE-2016-1017
CVE-2016-1018
CVE-2016-1019
CVE-2016-1020
CVE-2016-1021
CVE-2016-1022
CVE-2016-1023
CVE-2016-1024
CVE-2016-1025
CVE-2016-1026
CVE-2016-1027
CVE-2016-1028
CVE-2016-1029
CVE-2016-1030
CVE-2016-1031
CVE-2016-1032
CVE-2016-1033
CVE-2016-4117
CWE ID CWE-264
CWE-119
CWE-426
CWE-843
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #4 is available.
Vulnerability #10 is being exploited in the wild.
Vulnerability #25 is being exploited in the wild.
Vulnerable software
Subscribe
Adobe Flash Player
Client/Desktop applications / Plugins for browsers, ActiveX components

Adobe Flash Player Extended Support Release
Client/Desktop applications / Multimedia software

Adobe AIR
Client/Desktop applications / Multimedia software

Adobe Flash Player for Linux
Client/Desktop applications / Multimedia software

Vendor Adobe

Security Advisory

1) Security bypass

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1006

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, conduct a JIT spraying attack and bypass memory layout randomization mitigations.

Successful exploitation of this vulnerability results in security bypass on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) “Use-after-free” error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1011

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1012

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) “Use-after-free” error

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1013

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Untrusted Search Path

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1014

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error in the directory search path used to find resources when handling .swf files. A remote attacker can create a specially crafted .swf file, place it with malicious .dll on remote SMB or WebDav share, trick the victim into opening Flash file it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Type confusion

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1015

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confussion error within the NetConnection objects. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1016

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1017

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Stack-based buffer overflow

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1018

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow when handling JPEG-XR files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Type confusion

Severity: Critical

CVSSv3: 8.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1019

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error when handling .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Note: the vulnerability was being actively exploited.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

11) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1020

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1021

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1022

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1023

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1024

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1025

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1026

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1027

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1028

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1029

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Security bypass

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1030

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access controls. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass security mechanism and gain access to the affected system.

Successful exploitation of this vulnerability results in security bypass on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1031

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1032

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-1033

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343

Adobe AIR: 21.0.0.176, 21.0.0.198

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Type confusion

Severity: Critical

CVSSv3: 8.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4117

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution.

Note: the vulnerability was being actively exploited.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.272, 20.0.0.286, 20.0.0.306, 21.0.0.182, 21.0.0.197, 21.0.0.213, 21.0.0.216, 21.0.0.226, 21.0.0.241, 21.0.0.242

Adobe AIR: 21.0.0.176, 21.0.0.198 , 21.0.0.215

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.438, 11.2.202.440, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.