1242216 – (CVE-2015-5122, CVE-2015-5123) CVE-2015-5122 CVE-2015-5123 flash-plugin: two code execution issues in APSA15-04 / APSB15-18

Bug 1242216 (CVE-2015-5122, CVE-2015-5123) - CVE-2015-5122 CVE-2015-5123 flash-plugin: two code execution issues in APSA15-04 / APSB15-18

Summary: CVE-2015-5122 CVE-2015-5123 flash-plugin: two code execution issues in APSA15...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-5122, CVE-2015-5123
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1242218 1242219 1242220
Blocks:	1242217
TreeView+	depends on / blocked

Reported:	2015-07-12 11:49 UTC by Tomas Hoger
Modified:	2024-09-01 08:48 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-07-16 17:24:45 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1235	0	normal	SHIPPED_LIVE	Critical: flash-plugin security update	2015-07-16 21:09:16 UTC

Description Tomas Hoger 2015-07-12 11:49:36 UTC

Adobe Security Advisory APSA15-04 for Adobe Flash Player documents two flaws that can possibly lead to arbitrary code execution when Flash Player is used to play a specially crafted SWF file.

Quoting from the APSA15-04:

Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  

Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.

https://helpx.adobe.com/security/products/flash-player/apsa15-04.html

Comment 2 Tomas Hoger 2015-07-12 12:02:44 UTC

These issues, similar to recently fixed CVE-2015-5119 (bug 1240832), are also related to the Hacking Team compromise incident:

CVE-2015-5122
https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html
http://blog.trendmicro.com/trendlabs-security-intelligence/another-zero-day-vulnerability-arises-from-hacking-team-data-leak/

CVE-2015-5123
http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-in-adobe-flash-emerges-from-hacking-team-leak/

Comment 3 Tomas Hoger 2015-07-14 17:18:10 UTC

Adobe Security Bulletin APSB15-18 for Adobe Flash Player was published for these issues.  Updates fixing them are available for most supported platforms.  However, updates for version 11.2.x for Linux are still not available.  The Bulletin mentions they are still expected to be available some time this week:

  Adobe will provide an update for Flash Player for Linux during the week of
  July 12.  The update will be available by visiting the Adobe Flash Player
  Download Center.  Please continue to monitor the PSIRT blog for updates.

External References:

https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
https://helpx.adobe.com/security/products/flash-player/apsa15-04.html

Comment 4 errata-xmlrpc 2015-07-16 17:09:36 UTC

This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:1235 https://rhn.redhat.com/errata/RHSA-2015-1235.html

Note You need to log in before you can comment on or make changes to this bug.