(Red Hat Issues Fix) Adobe Flash Player Memory Errors Let Remote Users Obtain Potentially Sensitive Information and Execute Arbitrary Code
SecurityTracker Alert ID: 1040683|
SecurityTracker URL: http://securitytracker.com/id/1040683
CVE-2018-4932, CVE-2018-4933, CVE-2018-4934, CVE-2018-4935, CVE-2018-4936, CVE-2018-4937
(Links to External Site)
Date: Apr 16 2018
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Multiple vulnerabilities were reported in Adobe Flash Player. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can obtain potentially sensitive information on the target system.|
A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target user's system.
A use-after-free memory error may occur [CVE-2018-4932].
An out-of-bounds memory write error may occur [CVE-2018-4935, CVE-2018-4937].
A remote user can create specially crafted content that, when loaded by the target user, will access potentially sensitive information on the target user's system.
An out-of-bounds memory read error may occur [CVE-2018-4933, CVE-2018-4934].
A heap overflow may occur [CVE-2018-4936].
Lin Wang of Beihang University, Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero, and willJ of Tencent PC Manager reported these vulnerabilities.
A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.|
A remote user can obtain potentially sensitive information on the target system.
Red Hat has issued a fix.|
The Red Hat advisory is available at:
Vendor URL: access.redhat.com/errata/RHSA-2018:1119 (Links to External Site)
Access control error, Boundary error|
|Underlying OS: Linux (Red Hat Enterprise)|
|Underlying OS Comments: 6|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [RHSA-2018:1119-01] Critical: flash-plugin security update|
-----BEGIN PGP SIGNED MESSAGE-----
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2018:1119-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2018:1119
Issue date: 2018-04-11
CVE Names: CVE-2018-4932 CVE-2018-4933 CVE-2018-4934
CVE-2018-4935 CVE-2018-4936 CVE-2018-4937
An update for flash-plugin is now available for Red Hat Enterprise Linux 6
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
This update upgrades Flash Player to version 220.127.116.11.
* flash-plugin: Remote Code Execution vulnerabilities (APSB18-08)
(CVE-2018-4932, CVE-2018-4935, CVE-2018-4937)
* flash-plugin: Information Disclosure vulnerabilities (APSB18-08)
(CVE-2018-4933, CVE-2018-4934, CVE-2018-4936)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
5. Bugs fixed (https://bugzilla.redhat.com/):
1565799 - CVE-2018-4936 CVE-2018-4933 CVE-2018-4934 flash-plugin: Information Disclosure vulnerabilities (APSB18-08)
1565800 - CVE-2018-4935 CVE-2018-4937 CVE-2018-4932 flash-plugin: Remote Code Execution vulnerabilities (APSB18-08)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
Red Hat Enterprise Linux Server Supplementary (v. 6):
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
The Red Hat security contact is <firstname.lastname@example.org>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
RHSA-announce mailing list