CVE-2014-0499
CVSS7.8
发布时间 :2014-02-21 00:07:00
修订时间 :2014-06-21 00:38:37
NMCPS    

[原文]Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 do not prevent access to address information, which makes it easier for attackers to bypass the ASLR protection mechanism via unspecified vectors.


[CNNVD]Adobe Flash Player/Adobe AIR 安全漏洞(CNNVD-201402-303)

        Adobe Flash Player和Adobe AIR都是美国奥多比(Adobe)公司的产品。Adobe Flash Player是一款多媒体播放器产品。Adobe AIR是一个跨操作系统的运行时环境,可用于建立和配置跨平台的桌面RIA(Rich Internet Applications)应用。
        多款Adobe产品中存在安全漏洞,该漏洞源于程序没有限制访问地址信息。远程攻击者可利用该漏洞绕过ASLR保护机制。以下版本受到影响:Windows和Mac OS X平台上的Adobe Flash Player 12.0.0.44及之前的版本,Linux平台上的Adobe Flash Player 11.2.202.336及之前的版本;Android平台上的Adobe AIR 4.0.0.1390及之前的版本,Adobe AIR SDK 4.0.0.1390及之前的版本,Adobe AIR SDK & Compiler 4.0.0.1390及之前的版本。

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/a:adobe:flash_player:11.6.602.167Adobe Flash Player 11.6.602.167
cpe:/a:adobe:adobe_air:3.0.0.408Adobe Adobe Integrated Runtime 3.0.0.408
cpe:/a:adobe:adobe_air_sdk:3.2.0.2070Adobe Adobe Integrated Runtime (AIR) SDK 3.2.0.2070
cpe:/a:adobe:flash_player:11.6.602.168Adobe Flash Player 11.6.602.168
cpe:/a:adobe:flash_player:11.3.300.270Adobe Flash Player 11.3.300.270
cpe:/a:adobe:adobe_air:2.0.2.12610Adobe Integrated Runtime (AIR) 2.0.2.12610
cpe:/a:adobe:adobe_air:3.8.0.870
cpe:/a:adobe:flash_player:11.1.111.44
cpe:/a:adobe:flash_player:11.3.300.273Adobe Flash Player 11.3.300.273
cpe:/a:adobe:adobe_air_sdk:3.6.0.6090
cpe:/a:adobe:flash_player:11.3.300.271Adobe Flash Player 11.3.300.271
cpe:/a:adobe:adobe_air_sdk:3.5.0.890Adobe Adobe Integrated Runtime (AIR) SDK 3.5.0.890
cpe:/a:adobe:adobe_air:1.5.3.9130Adobe Integrated Runtime (AIR) 1.5.3.9130
cpe:/a:adobe:adobe_air:2.5.1.17730Adobe Integrated Runtime (AIR) 2.5.1.17730
cpe:/a:adobe:adobe_air_sdk:3.9.0.1380
cpe:/a:adobe:adobe_air:3.4.0.2540Adobe Adobe Integrated Runtime (AIR) 3.4.0.2540
cpe:/a:adobe:adobe_air:3.8.0.910
cpe:/a:adobe:adobe_air:3.9.0.1030
cpe:/a:adobe:flash_player:11.9.900.117
cpe:/a:adobe:flash_player:11.7.700.260
cpe:/a:adobe:flash_player:11.2.202.332
cpe:/a:adobe:flash_player:11.7.700.261
cpe:/a:adobe:adobe_air:1.0.4990Adobe Integrated Runtime (AIR) 1.0.4990
cpe:/a:adobe:adobe_air:4.0.0.1390
cpe:/a:adobe:flash_player:11.2.202.233Adobe Flash Player 11.2.202.233
cpe:/a:adobe:flash_player:11.2.202.243Adobe Flash Player 11.2.202.243
cpe:/a:adobe:flash_player:11.2.202.258Adobe Flash Player 11.2.202.258
cpe:/a:adobe:adobe_air:1.5.0.7220Adobe Integrated Runtime (AIR) 1.5.0.7220
cpe:/a:adobe:flash_player:11.0Adobe Flash Player 11.0
cpe:/a:adobe:flash_player:11.9.900.152
cpe:/a:adobe:flash_player:11.1Adobe Flash Player 11.1
cpe:/a:adobe:adobe_air:2.7.0.19530Adobe Integrated Runtime (AIR) 2.7.0.19530
cpe:/a:adobe:adobe_air:3.2.0.207Adobe Adobe Integrated Runtime 3.2.0.207
cpe:/a:adobe:flash_player:11.8.800.168
cpe:/a:adobe:flash_player:11.7.700.252
cpe:/a:adobe:flash_player:11.1.102.62Adobe Flash Player 11.1.102.62
cpe:/a:adobe:flash_player:11.5.502.110Adobe Flash Player 11.5.502.110
cpe:/a:adobe:flash_player:11.1.102.63Adobe Flash Player 11.1.102.63
cpe:/a:adobe:adobe_air:3.1.0.485Adobe Adobe Integrated Runtime 3.1.0.485
cpe:/a:adobe:flash_player:11.1.111.8Adobe Flash Player 11.1.111.8
cpe:/a:adobe:flash_player:11.2.202.223Adobe Flash Player 11.2.202.223
cpe:/a:adobe:adobe_air:3.1.0.488Adobe Adobe Integrated Runtime 3.1.0.488
cpe:/a:adobe:flash_player:11.7.700.257
cpe:/a:adobe:flash_player:12.0.0.38
cpe:/a:adobe:flash_player:11.2.202.236Adobe Flash Player 11.2.202.236
cpe:/a:adobe:flash_player:11.2.202.235Adobe Flash Player 11.2.202.235
cpe:/a:adobe:flash_player:11.2.202.238Adobe Flash Player 11.2.202.238
cpe:/a:adobe:adobe_air_sdk:3.8.0.910
cpe:/a:adobe:adobe_air_sdk:3.9.0.1210
cpe:/a:adobe:adobe_air:3.6.0.597Adobe Adobe Integrated Runtime (AIR) 3.6.0.597
cpe:/a:adobe:adobe_air:2.7.0.19480Adobe Integrated Runtime (AIR) 2.7.0.19480
cpe:/a:adobe:flash_player:11.1.115.54
cpe:/a:adobe:adobe_air:1.0.1Adobe Adobe Integrated Runtime 1.0.1
cpe:/a:adobe:flash_player:11.1.115.58
cpe:/a:adobe:flash_player:11.1.111.50
cpe:/a:adobe:adobe_air:3.5.0.880Adobe Adobe Integrated Runtime (AIR) 3.5.0.880
cpe:/a:adobe:flash_player:11.1.111.54
cpe:/a:adobe:flash_player:12.0.0.41
cpe:/a:adobe:adobe_air:1.5.1Adobe Adobe Integrated Runtime 1.5.1
cpe:/a:adobe:adobe_air:1.5.2Adobe Adobe Integrated Runtime (AIR) 1.5.2
cpe:/a:adobe:adobe_air:1.5.3Adobe Adobe Integrated Runtime (AIR) 1.5.3
cpe:/a:adobe:adobe_air:3.7.0.1860
cpe:/a:adobe:flash_player:11.7.700.242
cpe:/a:adobe:adobe_air_sdk:3.5.0.1060Adobe Adobe Integrated Runtime (AIR) SDK 3.5.0.1060
cpe:/a:adobe:flash_player:12.0.0.43
cpe:/a:adobe:flash_player:12.0.0.44
cpe:/a:adobe:flash_player:11.2.202.291
cpe:/a:adobe:adobe_air:1.1.0.5790Adobe Integrated Runtime (AIR) 1.1.0.5790
cpe:/a:adobe:adobe_air:2.7.1.19610Adobe Adobe Integrated Runtime (AIR) 2.7.1.19610
cpe:/a:adobe:flash_player:11.2.202.228Adobe Flash Player 11.2.202.228
cpe:/a:adobe:flash_player:11.5.502.135Adobe Flash Player 11.5.502.135
cpe:/a:adobe:adobe_air:2.7.0.1948Adobe Adobe Integrated Runtime 2.7.0.1948
cpe:/a:adobe:flash_player:11.2.202.297
cpe:/a:adobe:flash_player:11.8.800.94
cpe:/a:adobe:adobe_air:3.3.0.3670Adobe Adobe Integrated Runtime (AIR) 3.3.0.3670
cpe:/a:adobe:flash_player:11.5.502.136Adobe Flash Player 11.5.502.136
cpe:/a:adobe:flash_player:11.8.800.97
cpe:/a:adobe:adobe_air:3.5.0.600Adobe Adobe Integrated Runtime (AIR) 3.5.0.600
cpe:/a:adobe:adobe_air_sdk:3.6.0.599Adobe Adobe Integrated Runtime (AIR) SDK 3.6.0.599
cpe:/a:adobe:flash_player:11.2.202.285
cpe:/a:adobe:adobe_air:1.0.8.4990Adobe Integrated Runtime (AIR) 1.0.8.4990
cpe:/a:adobe:adobe_air:2.6.0.19120Adobe Integrated Runtime (AIR) 2.6.0.19120
cpe:/a:adobe:adobe_air_sdk:3.1.0.488Adobe Adobe Integrated Runtime (AIR) SDK 3.1.0.488
cpe:/a:adobe:adobe_air:3.5.0.1060Adobe Adobe Integrated Runtime (AIR) 3.5.0.1060
cpe:/a:adobe:adobe_air:3.5.0.890Adobe Adobe Integrated Runtime (AIR) 3.5.0.890
cpe:/a:adobe:adobe_air:2.0.4Adobe Adobe Integrated Runtime (AIR) 2.0.4
cpe:/a:adobe:adobe_air:3.9.0.1060
cpe:/a:adobe:flash_player:11.1.115.34Adobe Flash Player 11.1.115.34
cpe:/a:adobe:adobe_air:2.0.3Adobe Adobe Integrated Runtime (AIR) 2.0.3
cpe:/a:adobe:adobe_air:2.7.1Adobe Adobe Integrated Runtime 2.7.1
cpe:/a:adobe:adobe_air:2.0.2Adobe Adobe Integrated Runtime (AIR) 2.0.2
cpe:/a:adobe:flash_player:11.2.202.280
cpe:/a:adobe:adobe_air_sdk:3.4.0.2710Adobe Adobe Integrated Runtime (AIR) SDK 3.4.0.2710
cpe:/a:adobe:adobe_air:3.7.0.2090
cpe:/a:adobe:adobe_air:1.1Adobe Adobe Integrated Runtime (AIR) 1.1
cpe:/a:adobe:adobe_air:3.9.0.1380
cpe:/a:adobe:adobe_air:1.5Adobe Adobe Integrated Runtime (AIR) 1.5
cpe:/a:adobe:flash_player:11.7.700.169
cpe:/a:adobe:flash_player:11.7.700.225
cpe:/a:adobe:flash_player:11.7.700.224
cpe:/a:adobe:flash_player:11.2.202.273Adobe Flash Player 11.2.202.273
cpe:/a:adobe:flash_player:11.1.102.59Adobe Flash Player 11.1.102.59
cpe:/a:adobe:flash_player:11.7.700.232
cpe:/a:adobe:adobe_air:1.5.1.8210Adobe Integrated Runtime (AIR) 1.5.1.8210
cpe:/a:adobe:flash_player:11.4.402.287Adobe Flash Player 11.4.402.287
cpe:/a:adobe:flash_player:11.1.115.48
cpe:/a:adobe:flash_player:11.3.300.257Adobe Flash Player 11.3.300.257
cpe:/a:adobe:flash_player:11.2.202.270Adobe Flash Player 11.2.202.270
cpe:/a:adobe:adobe_air_sdk:3.3.0.3650Adobe Adobe Integrated Runtime (AIR) SDK 3.3.0.3650
cpe:/a:adobe:adobe_air:1.0Adobe Adobe Integrated Runtime (AIR) 1.0
cpe:/a:adobe:adobe_air:2.0.3.13070Adobe Adobe Integrated Runtime (AIR) 2.0.3.13070
cpe:/a:adobe:flash_player:11.1.102.55Adobe Flash Player 11.1.102.55
cpe:/a:adobe:adobe_air_sdk:3.9.0.1030
cpe:/a:adobe:adobe_air:2.5.0.16600Adobe Integrated Runtime (AIR) 2.5.0.16600
cpe:/a:adobe:adobe_air:3.6.0.6090
cpe:/a:adobe:flash_player:11.6.602.180Adobe Flash Player 11.6.602.180
cpe:/a:adobe:adobe_air_sdk:3.3.0.3690Adobe Adobe Integrated Runtime (AIR) SDK 3.3.0.3690
cpe:/a:adobe:adobe_air:2.6.0.19140Adobe Integrated Runtime (AIR) 2.6.0.19140
cpe:/a:adobe:flash_player:11.2.202.275
cpe:/a:adobe:adobe_air_sdk:3.5.0.600Adobe Adobe Integrated Runtime (AIR) SDK 3.5.0.600
cpe:/a:adobe:flash_player:11.2.202.336
cpe:/a:adobe:flash_player:11.2.202.261Adobe Flash Player 11.2.202.261
cpe:/a:adobe:adobe_air_sdk:3.7.0.1530
cpe:/a:adobe:flash_player:11.0.1.152Adobe Flash Player 11.0.1.152
cpe:/a:adobe:adobe_air_sdk:3.7.0.2090
cpe:/a:adobe:adobe_air_sdk:3.7.0.1860
cpe:/a:adobe:flash_player:11.6.602.171Adobe Flash Player 11.6.602.171
cpe:/a:adobe:flash_player:11.2.202.335
cpe:/a:adobe:flash_player:11.2.202.262Adobe Flash Player 11.2.202.262
cpe:/a:adobe:flash_player:11.3.300.268Adobe Flash Player 11.3.300.268
cpe:/a:adobe:flash_player:11.4.402.278Adobe Flash Player 11.4.402.278
cpe:/a:adobe:flash_player:11.0.1.153Adobe Flash Player 11.0.1.153
cpe:/a:adobe:adobe_air:2.6Adobe Adobe Integrated Runtime 2.6
cpe:/a:adobe:adobe_air_sdk:3.8.0.1430
cpe:/a:adobe:flash_player:11.3.300.265Adobe Flash Player 11.3.300.265
cpe:/a:adobe:adobe_air:2.7Adobe Adobe Integrated Runtime 2.7
cpe:/a:adobe:flash_player:11.5.502.149Adobe Flash Player 11.5.502.149
cpe:/a:adobe:adobe_air:1.5.3.9120Adobe Adobe Integrated Runtime (AIR) 1.5.3.9120
cpe:/a:adobe:adobe_air:3.2.0.2070Adobe Adobe Integrated Runtime 3.2.0.2070
cpe:/a:adobe:adobe_air:3.4.0.2710Adobe Adobe Integrated Runtime (AIR) 3.4.0.2710
cpe:/a:adobe:adobe_air:3.0.0.4080Adobe Integrated Runtime (AIR) 3.0.0.4080
cpe:/a:adobe:adobe_air_sdk:3.5.0.880Adobe Adobe Integrated Runtime (AIR) SDK 3.5.0.880
cpe:/a:adobe:flash_player:11.5.502.146Adobe Flash Player 11.5.502.146
cpe:/a:adobe:flash_player:11.3.300.262Adobe Flash Player 11.3.300.262
cpe:/a:adobe:adobe_air:2.7.0.1953Adobe Adobe Integrated Runtime 2.7.0.1953
cpe:/a:adobe:adobe_air_sdk:3.4.0.2540Adobe Adobe Integrated Runtime (AIR) SDK 3.4.0.2540
cpe:/a:adobe:adobe_air:3.9.0.1210
cpe:/a:adobe:adobe_air_sdk:4.0.0.1390
cpe:/a:adobe:flash_player:11.9.900.170
cpe:/a:adobe:adobe_air_sdk:3.8.0.870
cpe:/a:adobe:adobe_air:3.7.0.1530
cpe:/a:adobe:flash_player:11.2.202.310
cpe:/a:adobe:adobe_air:3.1.0.4880Adobe Integrated Runtime (AIR) 3.1.0.4880
cpe:/a:adobe:flash_player:11.7.700.202
cpe:/a:adobe:flash_player:11.2.202.251Adobe Flash Player 11.2.202.251
cpe:/a:adobe:flash_player:11.1.115.7Adobe Flash Player 11.1.115.7
cpe:/a:adobe:flash_player:11.2.202.327
cpe:/a:adobe:adobe_air_sdk:3.0.0.4080Adobe Adobe Integrated Runtime (AIR) SDK 3.0.0.4080
cpe:/a:adobe:flash_player:11.4.402.265Adobe Flash Player 11.4.4.02.265

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:22445Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR...
oval:org.mitre.oval:def:23209ELSA-2014:0196: flash-plugin security update (Critical)
oval:org.mitre.oval:def:24162RHSA-2014:0196: flash-plugin security update (Critical)
oval:org.mitre.oval:def:25399SUSE-SU-2014:0290-1 -- Security update for flash-player
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0499
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0499
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201402-303
(官方数据源) CNNVD

- 其它链接及资源

http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
(VENDOR_ADVISORY)  CONFIRM  http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
http://security.gentoo.org/glsa/glsa-201405-04.xml
(UNKNOWN)  GENTOO  GLSA-201405-04
http://rhn.redhat.com/errata/RHSA-2014-0196.html
(UNKNOWN)  REDHAT  RHSA-2014:0196
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00017.html
(UNKNOWN)  SUSE  SUSE-SU-2014:0290
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00015.html
(UNKNOWN)  SUSE  openSUSE-SU-2014:0278
http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00014.html
(UNKNOWN)  SUSE  openSUSE-SU-2014:0277

- 漏洞信息

Adobe Flash Player/Adobe AIR 安全漏洞
高危 权限许可和访问控制
2014-02-25 00:00:00 2014-02-25 00:00:00
远程  
        Adobe Flash Player和Adobe AIR都是美国奥多比(Adobe)公司的产品。Adobe Flash Player是一款多媒体播放器产品。Adobe AIR是一个跨操作系统的运行时环境,可用于建立和配置跨平台的桌面RIA(Rich Internet Applications)应用。
        多款Adobe产品中存在安全漏洞,该漏洞源于程序没有限制访问地址信息。远程攻击者可利用该漏洞绕过ASLR保护机制。以下版本受到影响:Windows和Mac OS X平台上的Adobe Flash Player 12.0.0.44及之前的版本,Linux平台上的Adobe Flash Player 11.2.202.336及之前的版本;Android平台上的Adobe AIR 4.0.0.1390及之前的版本,Adobe AIR SDK 4.0.0.1390及之前的版本,Adobe AIR SDK & Compiler 4.0.0.1390及之前的版本。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://helpx.adobe.com/security/products/flash-player/apsb14-07.html

- 漏洞信息 (F125342)

Red Hat Security Advisory 2014-0196-01 (PacketStormID:F125342)
2014-02-22 00:00:00
Red Hat  
advisory,web,arbitrary,vulnerability
linux,redhat
CVE-2014-0498,CVE-2014-0499,CVE-2014-0502
[点击下载]

Red Hat Security Advisory 2014-0196-01 - The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB14-07, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.341.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: flash-plugin security update
Advisory ID:       RHSA-2014:0196-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0196.html
Issue date:        2014-02-21
CVE Names:         CVE-2014-0498 CVE-2014-0499 CVE-2014-0502 
=====================================================================

1. Summary:

An updated Adobe Flash Player package that fixes three security issues is
now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having Critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64

3. Description:

The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.

This update fixes multiple vulnerabilities in Adobe Flash Player. These
vulnerabilities are detailed in the Adobe Security bulletin APSB14-07,
listed in the References section. Specially-crafted SWF content could
cause flash-plugin to crash or, potentially, execute arbitrary code when a
victim loads a page containing the malicious SWF content. (CVE-2014-0498,
CVE-2014-0499, CVE-2014-0502)

All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 11.2.202.341.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1067656 - CVE-2014-0498 CVE-2014-0499 CVE-2014-0502 flash-plugin: multiple flaws lead to arbitrary code execution (APSB14-07)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
flash-plugin-11.2.202.341-1.el5.i386.rpm

x86_64:
flash-plugin-11.2.202.341-1.el5.i386.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
flash-plugin-11.2.202.341-1.el5.i386.rpm

x86_64:
flash-plugin-11.2.202.341-1.el5.i386.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
flash-plugin-11.2.202.341-1.el6.i686.rpm

x86_64:
flash-plugin-11.2.202.341-1.el6.i686.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
flash-plugin-11.2.202.341-1.el6.i686.rpm

x86_64:
flash-plugin-11.2.202.341-1.el6.i686.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
flash-plugin-11.2.202.341-1.el6.i686.rpm

x86_64:
flash-plugin-11.2.202.341-1.el6.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-0498.html
https://www.redhat.com/security/data/cve/CVE-2014-0499.html
https://www.redhat.com/security/data/cve/CVE-2014-0502.html
https://access.redhat.com/security/updates/classification/#critical
https://helpx.adobe.com/security/products/flash-player/apsb14-07.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTByEnXlSAg2UNWIIRAi1rAKCBxwErUI32sTpMx0NosGcAjO+YSQCfZzHe
MX7b/r4AbJFfCjm9BexmJdw=
=X9yY
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F126479)

Gentoo Linux Security Advisory 201405-04 (PacketStormID:F126479)
2014-05-05 00:00:00
Gentoo  security.gentoo.org
advisory,arbitrary,vulnerability
linux,gentoo
CVE-2014-0498,CVE-2014-0499,CVE-2014-0502,CVE-2014-0503,CVE-2014-0504,CVE-2014-0506,CVE-2014-0507,CVE-2014-0508,CVE-2014-0509,CVE-2014-0515
[点击下载]

Gentoo Linux Security Advisory 201405-4 - Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which could result in execution of arbitrary code. Versions less than 11.2.202.356 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201405-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: Adobe Flash Player: Multiple vulnerabilities
     Date: May 03, 2014
     Bugs: #501960, #504286, #507176, #508986
       ID: 201405-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Adobe Flash Player, the
worst of which could result in execution of arbitrary code.

Background
==========

The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  www-plugins/adobe-flash   < 11.2.202.356         >= 11.2.202.356

Description
===========

Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could entice a user to open a specially crafted SWF
file using Adobe Flash Player, possibly resulting in execution of
arbitrary code with the privileges of the process or a Denial of
Service condition. Furthermore, a remote attacker may be able to bypass
the Same Origin Policy or read the clipboard via unspecified vectors.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Adobe Flash Player users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.356"

References
==========

[  1 ] CVE-2014-0498
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0498
[  2 ] CVE-2014-0499
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0499
[  3 ] CVE-2014-0502
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0502
[  4 ] CVE-2014-0503
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0503
[  5 ] CVE-2014-0504
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0504
[  6 ] CVE-2014-0506
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0506
[  7 ] CVE-2014-0507
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0507
[  8 ] CVE-2014-0508
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0508
[  9 ] CVE-2014-0509
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0509
[ 10 ] CVE-2014-0515
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0515

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201405-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
    

- 漏洞信息

Adobe Flash Player and AIR CVE-2014-0499 Information Disclosure Vulnerability
Unknown 65703
Yes No
2014-02-20 12:00:00 2014-02-21 02:01:00
Wen Guanxing of Venustech.

- 受影响的程序版本

Red Hat Enterprise Linux Workstation Supplementary 6
Red Hat Enterprise Linux Supplementary 5 server
Red Hat Enterprise Linux Server Supplementary 6
Red Hat Enterprise Linux Desktop Supplementary 6
Red Hat Enterprise Linux Desktop Supplementary 5 client

- 漏洞讨论

Adobe Flash Player and AIR are prone to an information-disclosure vulnerability.

Attackers can exploit this issue to obtain sensitive information.

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站