Vulnerability CVE-2017-2991

Vulnerability Name:

CVE-2017-2991 (CCN-121819)

Assigned:

2016-12-02

Published:

2017-02-14

Updated:

2022-11-17

Summary:

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable memory corruption vulnerability in the h264 codec (related to decompression). Successful exploitation could lead to arbitrary code execution.

CVSS v3 Severity:

8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-787

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2017-2991

Source: CCN
Type: RHSA-2017-0275
Critical: flash-plugin security update

Source: REDHAT
Type: Third Party Advisory
RHSA-2017:0275

Source: BID
Type: Broken Link, Third Party Advisory, VDB Entry
96190

Source: SECTRACK
Type: Broken Link, Third Party Advisory, VDB Entry
1037815

Source: XF
Type: UNKNOWN
adobe-flash-cve20172991-code-exec(121819)

Source: CCN
Type: Adobe Security Bulletin APSB17-04
Security updates available for Adobe Flash Player

Source: CONFIRM
Type: Patch, Vendor Advisory
https://helpx.adobe.com/security/products/flash-player/apsb17-04.html

Source: GENTOO
Type: Third Party Advisory
GLSA-201702-20

Vulnerable Configuration:

Configuration 1:

cpe:/a:adobe:flash_player:*:*:*:*:*:chrome:*:* (Version <= 24.0.0.194)

AND

cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:-:*:*:*:*:*:*:*

OR cpe:/o:google:chrome_os:-:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:adobe:flash_player:*:*:*:*:*:edge:*:* (Version <= 24.0.0.194)

OR cpe:/a:adobe:flash_player:*:*:*:*:*:internet_explorer:*:* (Version <= 24.0.0.194)

AND

cpe:/o:microsoft:windows_8.1:-:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_10:-:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:adobe:flash_player_desktop_runtime:*:*:*:*:*:*:*:* (Version <= 24.0.0.194)

AND

cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:-:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20172991	V	CVE-2017-2991	2022-05-20
oval:org.opensuse.security:def:55986	P	Security update for xorg-x11-server (Important)	2021-12-14
oval:org.opensuse.security:def:47306	P	libIlmImf-Imf_2_1-21-2.1.0-4.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47065	P	libpoppler44-0.24.4-12.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47377	P	libmpfr4-3.1.2-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47149	P	rtkit-0.11_git201205151338-8.14 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48015	P	gdk-pixbuf-loader-rsvg-2.40.20-5.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48069	P	libSDL-1_2-0-1.2.15-15.11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47211	P	autofs-5.0.9-27.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47275	P	grub2-2.02-2.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:11970	P	mailx-12.5-28.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11828	P	gtk2-data-2.24.31-7.11 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11979	P	p7zip-9.20.1-6.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11903	P	libldap-2_4-2-2.4.41-18.25.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11992	P	perl-YAML-LibYAML-0.38-10.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11928	P	libpoppler44-0.24.4-12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12630	P	libssh4-0.6.3-12.6.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11679	P	openslp-2.0.0-5.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12652	P	libxerces-c-3_1-3.1.1-12.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46481	P	libgc1-7.2d-3.75 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11701	P	python-2.7.9-20.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46613	P	apache-commons-httpclient-3.1-4.498 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11747	P	xorg-x11-7.6_1-14.17 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11671	P	logrotate-3.8.7-3.21 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46704	P	libXinerama1-1.1.3-3.55 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11794	P	e2fsprogs-1.42.11-7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46851	P	sysconfig-0.83.8-7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11809	P	fuse-2.9.3-5.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:55912	P	Security update for spice-gtk (Important)	2021-06-08
oval:org.opensuse.security:def:24660	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:53135	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:24461	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:24741	P	Security update for cifs-utils (Moderate)	2020-12-01
oval:org.opensuse.security:def:53275	P	Security update for util-linux and shadow (Moderate)	2020-12-01
oval:org.opensuse.security:def:46156	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:24797	P	Security update for kernel-firmware (Important)	2020-12-01
oval:org.opensuse.security:def:53513	P	Security update for grub2 (Important)	2020-12-01
oval:org.opensuse.security:def:46169	P	Security update for glib2 (Important)	2020-12-01
oval:org.opensuse.security:def:25170	P	Security update for git (Moderate)	2020-12-01
oval:org.opensuse.security:def:53112	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:24880	P	Security update for ncurses (Important)	2020-12-01
oval:org.opensuse.security:def:53686	P	Security update for ovmf (Moderate)	2020-12-01
oval:org.opensuse.security:def:46289	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:25184	P	Security update for vim (Moderate)	2020-12-01
oval:org.opensuse.security:def:54443	P	cups on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25030	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:53792	P	Security update for libreoffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:25228	P	Security update for LibreOffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:54517	P	libXcursor1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:46155	P	Security update for postgresql10 (Low)	2020-12-01
oval:org.opensuse.security:def:25083	P	Security update for LibVNCServer (Critical)	2020-12-01
oval:org.opensuse.security:def:53958	P	facter on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25866	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:54555	P	libid3tag0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24471	P	Security update for kernel-source (Important)	2020-12-01
oval:org.opensuse.security:def:54243	P	libXinerama1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25901	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:54636	P	ntp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24534	P	Security update for gpg2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:53113	P	Security update for python-urllib3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:54351	P	perl-32bit on GA media (Moderate)	2020-12-01
oval:org.cisecurity:def:1890	V	Vulnerability in Adobe Flash Player versions 24.0.0.194 and earlier - CVE-2017-2991	2017-03-10
oval:org.opensuse.security:def:78620	P	Security update for flash-player (Important)	2017-02-20
oval:com.ubuntu.precise:def:20172991000	V	CVE-2017-2991 on Ubuntu 12.04 LTS (precise) - medium.	2017-02-15
oval:com.ubuntu.trusty:def:20172991000	V	CVE-2017-2991 on Ubuntu 14.04 LTS (trusty) - medium.	2017-02-15
oval:com.ubuntu.xenial:def:201729910000000	V	CVE-2017-2991 on Ubuntu 16.04 LTS (xenial) - medium.	2017-02-15
oval:com.ubuntu.xenial:def:20172991000	V	CVE-2017-2991 on Ubuntu 16.04 LTS (xenial) - medium.	2017-02-15

BACK