OpenSUSE Linux update for flash-player



Published: 2017-01-11
Risk High
Patch available YES
Number of vulnerabilities 13
CVE-ID CVE-2017-2925
CVE-2017-2926
CVE-2017-2927
CVE-2017-2928
CVE-2017-2930
CVE-2017-2931
CVE-2017-2932
CVE-2017-2933
CVE-2017-2934
CVE-2017-2935
CVE-2017-2936
CVE-2017-2937
CVE-2017-2938
CWE-ID CWE-119
CWE-125
CWE-416
CWE-122
CWE-200
Exploitation vector Network
Public exploit Public exploit code for vulnerability #5 is available.
Public exploit code for vulnerability #6 is available.
Public exploit code for vulnerability #7 is available.
Public exploit code for vulnerability #8 is available.
Public exploit code for vulnerability #9 is available.
Public exploit code for vulnerability #10 is available.
Vulnerable software
Subscribe
Adobe Flash Player
Client/Desktop applications / Plugins for browsers, ActiveX components

Adobe Flash Player for Linux
Client/Desktop applications / Multimedia software

Vendor Adobe

Security Bulletin

This security bulletin contains information about 13 vulnerabilities.

1) Memory corruption

EUVDB-ID: #VU4096

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2925

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory corruption

EUVDB-ID: #VU4097

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2926

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Heap-based buffer overflow

EUVDB-ID: #VU4092

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2927

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory corruption

EUVDB-ID: #VU4098

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2928

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Memory corruption

EUVDB-ID: #VU4099

Risk: High

CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-2930

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

6) Memory corruption

EUVDB-ID: #VU4100

Risk: High

CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-2931

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: Yes

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

7) Use-after-free error

EUVDB-ID: #VU4089

Risk: High

CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-2932

CWE-ID: CWE-416 - Use After Free

Exploit availability: Yes

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

8) Heap-based buffer overflow

EUVDB-ID: #VU4093

Risk: High

CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-2933

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: Yes

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing thumbnails within .swf files. A remote attacker can create a specially crafted.thumbnail, trick the victim into opening it using Flash Player, cause heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

9) Heap-based buffer overflow

EUVDB-ID: #VU4094

Risk: High

CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-2934

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: Yes

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when decompressing planar block within .swf files. A remote attacker can create a specially crafted. atf file, trick the victim into opening it using Flash Player, cause heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

10) Heap-based buffer overflow

EUVDB-ID: #VU4095

Risk: High

CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-2935

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: Yes

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing AVC header slicing within .swf files. A remote attacker can create a specially crafted. flv file, trick the victim into opening it using Flash Player, cause heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

11) Use-after-free error

EUVDB-ID: #VU4090

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2936

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free error

EUVDB-ID: #VU4091

Risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2937

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allow a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted. swf file, trick the victim into opening it, cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Information disclosure

EUVDB-ID: #VU4088

Risk: Low

CVSSv3.1: 3.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2938

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive data.

The vulnerability exists due to unknown error when handling .swf files. A remote attacker can create a specially crafted web page, trick the victim into visiting it and obtain potentially sensitive information.

Mitigation

Update the affected packages.

Vulnerable software versions

Adobe Flash Player: 24.0.0.186

Adobe Flash Player for Linux: 24.0.0.186

External links

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00012.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###