openSUSE update for flash-player

Published: 2016-09-14
Severity High
Patch available YES
Number of vulnerabilities 29
CVE ID CVE-2016-4182
CVE-2016-4237
CVE-2016-4238
CVE-2016-4271
CVE-2016-4272
CVE-2016-4274
CVE-2016-4275
CVE-2016-4276
CVE-2016-4277
CVE-2016-4278
CVE-2016-4279
CVE-2016-4280
CVE-2016-4281
CVE-2016-4282
CVE-2016-4283
CVE-2016-4284
CVE-2016-4285
CVE-2016-4287
CVE-2016-6921
CVE-2016-6922
CVE-2016-6923
CVE-2016-6924
CVE-2016-6925
CVE-2016-6926
CVE-2016-6927
CVE-2016-6929
CVE-2016-6930
CVE-2016-6931
CVE-2016-6932
CWE ID CWE-119
CWE-284
Exploitation vector Network
Public exploit Public exploit code for vulnerability #7 is available.
Vulnerable software Adobe Flash Player Extended Support Release Subscribe
Adobe Flash Player for Linux
Adobe Flash Player
Vendor Adobe

Security Advisory

1) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4182

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4237

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4238

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error. A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.238, 11.2.202.261, 11.2.202.262, 11.2.202.270, 11.2.202.273, 11.2.202.327, 11.2.202.332, 11.2.202.335, 11.2.202.336, 11.2.202.341, 11.2.202.350, 11.2.202.356, 11.2.202.418, 11.2.202.424, 11.2.202.425, 11.2.202.429, 11.2.202.438, 11.2.202.440, 11.2.202.442, 11.2.202.451, 11.2.202.457, 11.2.202.466, 11.2.202.468, 11.2.202.481, 11.2.202.491, 11.2.202.535, 11.2.202.540, 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.621, 11.2.202.626, 11.2.202.632

Adobe Flash Player: 22.0.0.192, 22.0.0.209

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Security bypass

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4271

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass security limitations and gain access to imprortant data.

Successful exploitation of the vulnerability results in information disclosure or further attacks on the vulnerable system.


Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4272

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4274

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory corruption

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4275

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

8) Memory corruption

Severity: High

CVSSv3: 8.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4276

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote unathenticated user to cause arbitrary code execution on the target system.

The weakness exists due to boundary error. After tricking the victim to visit a web page containing crafted Flash content attackers can cause memory corruption and execute arbitary code.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Security bypass

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4277

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass security limitations and gain access to imprortant data.

Successful exploitation of the vulnerability results in information disclosure or further attacks on the vulnerable system.


Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Security bypass

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-4278

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to improper access control. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass security limitations and gain access to imprortant data.

Successful exploitation of the vulnerability results in information disclosure or further attacks on the vulnerable system.


Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4279

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4280

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4281

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4282

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4283

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4284

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4285

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Integer overflow

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-4287

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6921

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6922

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6923

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Memory corruption

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6924

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6925

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6926

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6927

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6929

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6930

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6931

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) “Use-after-free” error

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6932

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to use-after-free when handling a malicious Flash content. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code witj privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 11.2.202.540, 11.2.202.548 , 11.2.202.554, 11.2.202.559, 11.2.202.569, 11.2.202.577, 11.2.202.616, 11.2.202.632, 18.0.0, 18.0.0.161, 18.0.0.194, 18.0.0.209, 18.0.0.232, 18.0.0.241, 18.0.0.252, 18.0.0.255, 18.0.0.261, 18.0.0.324, 18.0.0.326, 18.0.0.329, 18.0.0.333, 18.0.0.343, 19.0.0.185, 19.0.0.207, 19.0.0.226, 19.0.0.245, 20.0.0.228, 20.0.0.235, 20.0.0.267, 20.0.0.286, 20.0.0.306, 21.0.0.197, 21.0.0.213, 21.0.0.226, 21.0.0.242, 22.0.0.192, 22.0.0.211

Adobe Flash Player Extended Support Release: 18.0.0.268, 18.0.0.352, 18.0.0.360, 18.0.0.366

Adobe Flash Player for Linux: 11.2.202.621, 11.2.202.626

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2016-09/msg00009.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.