SUSE Linux update for flash-player
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2017-2997 CVE-2017-2998 CVE-2017-2999 CVE-2017-3000 CVE-2017-3001 CVE-2017-3002 CVE-2017-3003 |
| CWE-ID | CWE-119 CWE-200 CWE-416 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #4 is available. |
| Vulnerable software Subscribe |
Adobe Flash Player Client/Desktop applications / Plugins for browsers, ActiveX components Adobe Flash Player for Linux Client/Desktop applications / Multimedia software |
| Vendor | Adobe |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU5940
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-2997
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing .swf files in Adobe Flash Player. A remote unauthenticated attacker can create a specially crafted .swf file, trick the victim into opening i, trigger buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
Adobe Flash Player: 24.0.0.186 - 24.0.0.221
Adobe Flash Player for Linux: 24.0.0.186 - 24.0.0.194
CPE2.3- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.221:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.186:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.186:*:*:*:*:*:*:*
http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00010.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU5941
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-2998
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing .swf files in Adobe Flash Player. A remote unauthenticated attacker can create a specially crafted .swf file, trick the victim into opening i, trigger buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
Adobe Flash Player: 24.0.0.186 - 24.0.0.221
Adobe Flash Player for Linux: 24.0.0.186 - 24.0.0.194
CPE2.3- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.221:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.186:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.186:*:*:*:*:*:*:*
http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00010.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Memory corruption
EUVDB-ID: #VU5942
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-2999
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing .swf files in Adobe Flash Player. A remote unauthenticated attacker can create a specially crafted .swf file, trick the victim into opening i, trigger buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
Adobe Flash Player: 24.0.0.186 - 24.0.0.221
Adobe Flash Player for Linux: 24.0.0.186 - 24.0.0.194
CPE2.3- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.221:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.186:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.186:*:*:*:*:*:*:*
http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00010.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU5943
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-3000
CWE-ID:
CWE-200 - Information exposure
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive data.
The vulnerability exists due to boundary error in random number generator used for constant blinding in Adobe Flash Player. A remote unauthenticated attacker can create a specially crafted .swf file, trick the victim into opening i, trigger buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in disclosure of potentially sensitive data.
MitigationUpdate the affected packages.
Adobe Flash Player: 24.0.0.186 - 24.0.0.221
Adobe Flash Player for Linux: 24.0.0.186 - 24.0.0.194
CPE2.3- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.221:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.186:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.186:*:*:*:*:*:*:*
http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00010.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Use-after-free error
EUVDB-ID: #VU5944
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3001
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error when processing .swf files in Adobe Flash Player. A remote unauthenticated attacker can create a specially crafted .swf file, trick the victim into opening i, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
Adobe Flash Player: 24.0.0.186 - 24.0.0.221
Adobe Flash Player for Linux: 24.0.0.186 - 24.0.0.194
CPE2.3- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.221:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.186:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.186:*:*:*:*:*:*:*
http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00010.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free error
EUVDB-ID: #VU5945
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3002
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error when processing .swf files in Adobe Flash Player. A remote unauthenticated attacker can create a specially crafted .swf file, trick the victim into opening i, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
Adobe Flash Player: 24.0.0.186 - 24.0.0.221
Adobe Flash Player for Linux: 24.0.0.186 - 24.0.0.194
CPE2.3- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.221:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.186:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.186:*:*:*:*:*:*:*
http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00010.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free error
EUVDB-ID: #VU5946
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-3003
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error when processing .swf files in Adobe Flash Player. A remote unauthenticated attacker can create a specially crafted .swf file, trick the victim into opening i, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages.
Adobe Flash Player: 24.0.0.186 - 24.0.0.221
Adobe Flash Player for Linux: 24.0.0.186 - 24.0.0.194
CPE2.3- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.221:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player:24.0.0.186:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.194:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:adobe_flash_player_for_linux:24.0.0.186:*:*:*:*:*:*:*
http://lists.opensuse.org/opensuse-security-announce/2017-03/msg00010.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
