Bug 1240832 (CVE-2015-5119)
Summary: | CVE-2015-5119 flash-plugin: code execution issue in APSA15-03 / APSB15-16 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | ed.costello, emhuang, mmelanso, mtilburg, stransky |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | flash-plugin 11.2.202.481 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-08 21:29:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1240835, 1240836, 1240837 | ||
Bug Blocks: | 1240834 |
Description
Tomas Hoger
2015-07-07 21:21:43 UTC
According to the information from CERT and antivirus vendors, this issue was made public when an exploit for it was found in the data dump from the Hacking Team incident. The issue is reported to be a use-after-free vulnerability in ActionScript 3 ByteArray. Exploits for this flaw are being incorporated into popular exploit kits. http://www.kb.cert.org/vuls/id/561288 http://www.symantec.com/connect/blogs/leaked-flash-zero-day-likely-be-exploited-attackers http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/ http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/ This issue is fixed now in version 11.2.202.481. Adobe Security Bulletin APSB15-16 for Adobe Flash Player confirms this is a use-after-free vulnerability: These updates resolve use-after-free vulnerabilities that could lead to code execution (..., CVE-2015-5119). External References: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html https://helpx.adobe.com/security/products/flash-player/apsa15-03.html This issue has been addressed in the following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2015:1214 https://rhn.redhat.com/errata/RHSA-2015-1214.html |