Bug 740201 (CVE-2011-2444)

Summary: CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, security-response-team, stransky, vdanen
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20110921,reported=20110921,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,rhel-5.8/flash-plugin=affected,rhel-6.2/flash-plugin=affected,rhel-4.9/acroread=affected,rhel-5.8/acroread=affected,rhel-6.2/acroread=affected,cwe=CWE-79[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 14:25:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 737587, 737588, 737589, 740208, 740210    
Bug Blocks: 740205, 751852    

Description Huzaifa S. Sidhpurwala 2011-09-21 09:43:36 UTC
Adobe will release update for flash-plugin on 21st Sept 2011
http://blogs.adobe.com/psirt/2011/09/prenotification-security-update-for-flash-player.html

This bug is used for:
"important universal cross-site scripting issue that is reportedly being exploited in the wild in targeted attacks."

Comment 2 Vincent Danen 2011-09-21 20:40:06 UTC
APSB11-26 [1] resolves the following flaw:

This update resolves a universal cross-site scripting issue that could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website (CVE-2011-2444).

Note: There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

[1] http://www.adobe.com/support/security/bulletins/apsb11-26.html

Comment 3 errata-xmlrpc 2011-09-22 16:54:21 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2011:1333 https://rhn.redhat.com/errata/RHSA-2011-1333.html

Comment 4 errata-xmlrpc 2011-11-08 11:14:14 UTC
This issue has been addressed in following products:

  Extras for RHEL 4
  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2011:1434 https://rhn.redhat.com/errata/RHSA-2011-1434.html