ID

VAR-201305-0197


CVE

CVE-2013-3326


TITLE

Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2013-002693

DESCRIPTION

Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2013:0825-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html Issue date: 2013-05-15 CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325 CVE-2013-3326 CVE-2013-3327 CVE-2013-3328 CVE-2013-3329 CVE-2013-3330 CVE-2013-3331 CVE-2013-3332 CVE-2013-3333 CVE-2013-3334 CVE-2013-3335 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed in the Adobe Security bulletin APSB13-14, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 962895 - flash-plugin: multiple code execution flaws (APSB13-14) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.285-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.285-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.285-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.285-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.285-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.285-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.285-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.285-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.285-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.285-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2728.html https://www.redhat.com/security/data/cve/CVE-2013-3324.html https://www.redhat.com/security/data/cve/CVE-2013-3325.html https://www.redhat.com/security/data/cve/CVE-2013-3326.html https://www.redhat.com/security/data/cve/CVE-2013-3327.html https://www.redhat.com/security/data/cve/CVE-2013-3328.html https://www.redhat.com/security/data/cve/CVE-2013-3329.html https://www.redhat.com/security/data/cve/CVE-2013-3330.html https://www.redhat.com/security/data/cve/CVE-2013-3331.html https://www.redhat.com/security/data/cve/CVE-2013-3332.html https://www.redhat.com/security/data/cve/CVE-2013-3333.html https://www.redhat.com/security/data/cve/CVE-2013-3334.html https://www.redhat.com/security/data/cve/CVE-2013-3335.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb13-14.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA pCXFdmTpNYaaRsAS+FVd7h4= =8nby -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.07

sources: NVD: CVE-2013-3326 // JVNDB: JVNDB-2013-002693 // BID: 59892 // VULHUB: VHN-63328 // PACKETSTORM: 121646

AFFECTED PRODUCTS

vendor:redhatmodel:enterprise linux workstationscope:eqversion:6.0

Trust: 1.0

vendor:adobemodel:flash playerscope:ltversion:11.7.700.202

Trust: 1.0

vendor:adobemodel:flash playerscope:ltversion:11.1.111.54

Trust: 1.0

vendor:redhatmodel:enterprise linux eusscope:eqversion:5.9

Trust: 1.0

vendor:redhatmodel:enterprise linux desktopscope:eqversion:6.0

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:6.4

Trust: 1.0

vendor:opensusemodel:opensusescope:eqversion:12.3

Trust: 1.0

vendor:redhatmodel:enterprise linux eusscope:eqversion:6.4

Trust: 1.0

vendor:opensusemodel:opensusescope:eqversion:11.4

Trust: 1.0

vendor:adobemodel:flash playerscope:ltversion:10.3.183.86

Trust: 1.0

vendor:opensusemodel:opensusescope:eqversion:12.2

Trust: 1.0

vendor:adobemodel:air sdkscope:ltversion:3.7.0.1860

Trust: 1.0

vendor:adobemodel:flash playerscope:gteversion:11.0

Trust: 1.0

vendor:susemodel:linux enterprise desktopscope:eqversion:10

Trust: 1.0

vendor:redhatmodel:enterprise linux serverscope:eqversion:6.0

Trust: 1.0

vendor:adobemodel:flash playerscope:ltversion:11.1.115.58

Trust: 1.0

vendor:adobemodel:airscope:ltversion:3.7.0.1860

Trust: 1.0

vendor:susemodel:linux enterprise desktopscope:eqversion:11

Trust: 1.0

vendor:redhatmodel:enterprise linux server eusscope:eqversion:5.9

Trust: 1.0

vendor:adobemodel:flash playerscope:ltversion:11.2.202.285

Trust: 1.0

vendor:googlemodel:chromescope:ltversion:26 installed on adobe flash player 11.7.700.202 (windows

Trust: 0.8

vendor:googlemodel:chromescope:eqversion:linux

Trust: 0.8

vendor:googlemodel:chromescope:eqversion:and macintosh)

Trust: 0.8

vendor:adobemodel:airscope:ltversion:3.7.0.1860 (windows

Trust: 0.8

vendor:adobemodel:airscope:eqversion:macintosh

Trust: 0.8

vendor:adobemodel:airscope:eqversion:and android)

Trust: 0.8

vendor:adobemodel:air sdkscope:ltversion:(sdk & compiler) 3.7.0.1860

Trust: 0.8

vendor:adobemodel:flash playerscope:ltversion:11.1.111.54 (android 2.x and 3.x)

Trust: 0.8

vendor:adobemodel:flash playerscope:ltversion:11.1.115.58 (android 4.x)

Trust: 0.8

vendor:adobemodel:flash playerscope:ltversion:11.2.202.285 (linux)

Trust: 0.8

vendor:adobemodel:flash playerscope:ltversion:11.7.700.202 (windows and macintosh)

Trust: 0.8

vendor:microsoftmodel:internet explorerscope:ltversion:10 (adobe flash player 11.7.700.202 )

Trust: 0.8

vendor:microsoftmodel:windowsscope:ltversion:rt (adobe flash player 11.7.700.202 )

Trust: 0.8

vendor:microsoftmodel:windows 8scope:ltversion:for 32-bit systems (adobe flash player 11.7.700.202 )

Trust: 0.8

vendor:microsoftmodel:windows 8scope:ltversion:for 64-bit systems (adobe flash player 11.7.700.202 )

Trust: 0.8

vendor:microsoftmodel:windows serverscope:ltversion:2012 (adobe flash player 11.7.700.202 )

Trust: 0.8

vendor:adobemodel:air sdkscope:eqversion:3.0.0.4080

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.2.0.2070

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.5.0.600

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.4.0.2540

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.5.0.890

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.1.0.488

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.3.0.3650

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.5.0.1060

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.4.0.2710

Trust: 0.6

vendor:adobemodel:air sdkscope:eqversion:3.3.0.3690

Trust: 0.6

vendor:susemodel:linux enterprise desktop sp2scope:eqversion:11

Trust: 0.3

vendor:susemodel:linux enterprise desktop sp4scope:eqversion:10

Trust: 0.3

vendor:susemodel:opensusescope:eqversion:11.4

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:9.0.600.1

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:8.0.555.1

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:8.0.555.0

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:18.0.1050.0

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:15.0.900.1

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:13.0.800.0

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:13.0

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:11.0.700.2

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:11.0.700.1

Trust: 0.3

vendor:srwaremodel:ironscope:eqversion:11.0.700.0

Trust: 0.3

vendor:redmodel:hat enterprise linux workstation supplementaryscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux supplementary serverscope:eqversion:5

Trust: 0.3

vendor:redmodel:hat enterprise linux server supplementaryscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux desktop supplementaryscope:eqversion:6

Trust: 0.3

vendor:redmodel:hat enterprise linux desktop supplementary clientscope:eqversion:5

Trust: 0.3

sources: BID: 59892 // JVNDB: JVNDB-2013-002693 // CNNVD: CNNVD-201305-352 // NVD: CVE-2013-3326

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-3326
value: HIGH

Trust: 1.0

NVD: CVE-2013-3326
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201305-352
value: CRITICAL

Trust: 0.6

VULHUB: VHN-63328
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2013-3326
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-63328
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-63328 // JVNDB: JVNDB-2013-002693 // CNNVD: CNNVD-201305-352 // NVD: CVE-2013-3326

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-63328 // JVNDB: JVNDB-2013-002693 // NVD: CVE-2013-3326

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201305-352

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201305-352

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-002693

PATCH

title:APSB13-14url:http://www.adobe.com/support/security/bulletins/apsb13-14.html

Trust: 0.8

title:APSB13-14 (cq05140122)url:http://helpx.adobe.com/jp/flash-player/kb/cq05140122.html

Trust: 0.8

title:Google Chromeurl:http://www.google.co.jp/chrome/intl/ja/landing_ff_yt.html?hl=ja&hl=ja

Trust: 0.8

title:Flash Player Updateurl:http://googlechromereleases.blogspot.jp/2013/05/flash-player-update.html

Trust: 0.8

title:Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 (2755801)url:http://technet.microsoft.com/en-us/security/advisory/2755801

Trust: 0.8

title:SUSE-SU-2013:0798url:http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00003.html

Trust: 0.8

title:openSUSE-SU-2013:0892url:http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00003.html

Trust: 0.8

title:openSUSE-SU-2013:0954url:http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00010.html

Trust: 0.8

title:RHSA-2013:0825url:http://rhn.redhat.com/errata/RHSA-2013-0825.html

Trust: 0.8

title:Internet Explorer 10 上の Adobe Flash Player の脆弱性用の更新プログラム (2755801)url:http://technet.microsoft.com/ja-jp/security/advisory/2755801

Trust: 0.8

title:アドビ システムズ社 Adobe Flash Player の脆弱性に関するお知らせurl:http://www.fmworld.net/biz/common/adobe/20130516f.html

Trust: 0.8

title:install_flashplayer11x32ax_mssd_aihurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=45963

Trust: 0.6

title:install_flash_player_11_linux.i386url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=45965

Trust: 0.6

title:install_flash_player_osxurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=45964

Trust: 0.6

sources: JVNDB: JVNDB-2013-002693 // CNNVD: CNNVD-201305-352

EXTERNAL IDS

db:NVDid:CVE-2013-3326

Trust: 2.9

db:SECUNIAid:53442

Trust: 1.7

db:JVNDBid:JVNDB-2013-002693

Trust: 0.8

db:CNNVDid:CNNVD-201305-352

Trust: 0.7

db:BIDid:59892

Trust: 0.4

db:VULHUBid:VHN-63328

Trust: 0.1

db:PACKETSTORMid:121646

Trust: 0.1

sources: VULHUB: VHN-63328 // BID: 59892 // JVNDB: JVNDB-2013-002693 // PACKETSTORM: 121646 // CNNVD: CNNVD-201305-352 // NVD: CVE-2013-3326

REFERENCES

url:http://www.adobe.com/support/security/bulletins/apsb13-14.html

Trust: 1.8

url:http://rhn.redhat.com/errata/rhsa-2013-0825.html

Trust: 1.8

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a17050

Trust: 1.7

url:http://secunia.com/advisories/53442

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00003.html

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00003.html

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00010.html

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3326

Trust: 0.8

url:http://www.ipa.go.jp/security/ciadr/vul/20130515-adobeflashplayer.html

Trust: 0.8

url:https://www.jpcert.or.jp/at/2013/at130025.txt

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3326

Trust: 0.8

url:http://www.npa.go.jp/cyberpolice/topics/?seq=11478

Trust: 0.8

url:http://www.adobe.com/products/air/

Trust: 0.3

url:http://www.adobe.com/products/flash/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2013-3333

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#critical

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3329

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3324

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3325.html

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3335.html

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3331.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3334

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-2728

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3327.html

Trust: 0.1

url:https://access.redhat.com/security/team/contact/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3332

Trust: 0.1

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3332.html

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3324.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3335

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3334.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3326

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3330.html

Trust: 0.1

url:https://access.redhat.com/knowledge/articles/11258

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3326.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3331

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3328.html

Trust: 0.1

url:https://access.redhat.com/security/team/key/#package

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3333.html

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-3329.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3327

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3328

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3330

Trust: 0.1

url:http://bugzilla.redhat.com/):

Trust: 0.1

url:https://www.redhat.com/security/data/cve/cve-2013-2728.html

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-3325

Trust: 0.1

sources: VULHUB: VHN-63328 // BID: 59892 // JVNDB: JVNDB-2013-002693 // PACKETSTORM: 121646 // CNNVD: CNNVD-201305-352 // NVD: CVE-2013-3326

CREDITS

Mateusz Jurczyk and Ben Hawkes of the Google Security Team

Trust: 0.3

sources: BID: 59892

SOURCES

db:VULHUBid:VHN-63328
db:BIDid:59892
db:JVNDBid:JVNDB-2013-002693
db:PACKETSTORMid:121646
db:CNNVDid:CNNVD-201305-352
db:NVDid:CVE-2013-3326

LAST UPDATE DATE

2024-08-14T12:17:22.696000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-63328date:2020-08-25T00:00:00
db:BIDid:59892date:2014-05-14T12:54:00
db:JVNDBid:JVNDB-2013-002693date:2013-12-19T00:00:00
db:CNNVDid:CNNVD-201305-352date:2020-08-26T00:00:00
db:NVDid:CVE-2013-3326date:2020-08-25T13:21:58.700

SOURCES RELEASE DATE

db:VULHUBid:VHN-63328date:2013-05-16T00:00:00
db:BIDid:59892date:2013-05-14T00:00:00
db:JVNDBid:JVNDB-2013-002693date:2013-05-17T00:00:00
db:PACKETSTORMid:121646date:2013-05-15T15:55:00
db:CNNVDid:CNNVD-201305-352date:2013-05-17T00:00:00
db:NVDid:CVE-2013-3326date:2013-05-16T11:45:31.537