Vulnerability CVE-2017-3063

Vulnerability Name:

CVE-2017-3063 (CCN-124284)

Assigned:

2016-12-02

Published:

2017-04-11

Updated:

2018-01-05

Summary:

Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable use after free vulnerability in the ActionScript2 NetStream class. Successful exploitation could lead to arbitrary code execution.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-416

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2017-3063

Source: BID
Type: Third Party Advisory, VDB Entry
97551

Source: CCN
Type: BID-97551
Adobe Flash Player APSB17-10 Multiple Use After Free Remote Code Execution Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1038225

Source: MISC
Type: Third Party Advisory, VDB Entry
http://www.zerodayinitiative.com/advisories/ZDI-17-279/

Source: REDHAT
Type: UNKNOWN
RHSA-2017:0934

Source: XF
Type: UNKNOWN
adobe-flash-cve20173063-code-exec(124284)

Source: CCN
Type: Adobe Security Bulletin APSB17-10
Security updates available for Adobe Flash Player

Source: CONFIRM
Type: Vendor Advisory
https://helpx.adobe.com/security/products/flash-player/apsb17-10.html

Source: GENTOO
Type: UNKNOWN
GLSA-201704-04

Source: CCN
Type: ZDI-17-279
(Pwn2Own) Adobe Flash NetStream Use-After-Free Remote Code Execution Vulnerability

Vulnerable Configuration:

Configuration 1:

cpe:/a:adobe:flash_player:*:*:*:*:*:edge:*:* (Version <= 25.0.0.127)

OR cpe:/a:adobe:flash_player:*:*:*:*:*:internet_explorer:*:* (Version <= 25.0.0.127)

AND

cpe:/o:microsoft:windows_10:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_8.1:*:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:adobe:flash_player:*:*:*:*:*:chrome:*:* (Version <= 25.0.0.127)

AND

cpe:/o:apple:mac_os_x:-:*:*:*:*:*:*:*

OR cpe:/o:google:chrome_os:-:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:adobe:flash_player:*:*:*:*:*:*:*:* (Version <= 25.0.0.127)

AND

cpe:/o:apple:mac_os_x:-:*:*:*:*:*:*:*

OR cpe:/o:linux:linux_kernel:-:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20173063	V	CVE-2017-3063	2022-05-20
oval:org.opensuse.security:def:55941	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:48077	P	libXfont1-1.5.1-11.3.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47219	P	chrony-2.3-3.110 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47283	P	gv-3.7.4-1.36 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47314	P	libXfixes3-32bit-5.0.1-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47073	P	libsmi-0.4.8-18.55 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47385	P	libopenjp2-7-2.1.0-3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47157	P	strongswan-5.1.3-22.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48023	P	gnome-settings-daemon-3.20.1-50.16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:12021	P	sysconfig-0.84.0-13.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11957	P	libvirt-2.0.0-26.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12659	P	libzip2-0.11.1-13.3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11708	P	qemu-2.3.1-5.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12681	P	pam_ssh-2.0-1.40 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46489	P	libjbig2-2.0-12.13 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11730	P	tftp-5.2-10.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46621	P	avahi-0.6.31-20.59 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11776	P	cpio-2.11-29.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11700	P	puppet-3.6.2-3.62 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46712	P	libXxf86dga1-1.1.4-3.59 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11823	P	gpg2-2.0.24-3.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46859	P	tomcat-8.0.23-1.80 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11838	P	java-1_7_0-openjdk-1.7.0.111-33.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11999	P	python-cupshelpers-1.5.7-7.5 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11857	P	libXfixes3-32bit-5.0.1-3.53 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12008	P	rpcbind-0.2.3-21.4 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11932	P	libpython3_4m1_0-3.4.1-12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:56015	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:53542	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:46177	P	Security update for evince (Important)	2020-12-01
oval:org.opensuse.security:def:25178	P	Security update for Mesa (Moderate)	2020-12-01
oval:org.opensuse.security:def:53141	P	Security update for python-pip (Important)	2020-12-01
oval:org.opensuse.security:def:24888	P	Security update for tcpdump (Moderate)	2020-12-01
oval:org.opensuse.security:def:53715	P	Security update for systemd (Important)	2020-12-01
oval:org.opensuse.security:def:46297	P	Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Important)	2020-12-01
oval:org.opensuse.security:def:25192	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:54472	P	gd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25038	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:53821	P	Security update for gnome-shell (Moderate)	2020-12-01
oval:org.opensuse.security:def:25236	P	Security update for libexif (Moderate)	2020-12-01
oval:org.opensuse.security:def:54546	P	libgadu3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:46163	P	Security update for libxslt (Moderate)	2020-12-01
oval:org.opensuse.security:def:25091	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:53987	P	java-1_7_0-openjdk on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25874	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:54584	P	libpcsclite1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24479	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:54272	P	libipa_hbac0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25909	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:54665	P	python-pywbem on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24542	P	Security update for libpcap (Important)	2020-12-01
oval:org.opensuse.security:def:53142	P	Security update for python-setuptools (Important)	2020-12-01
oval:org.opensuse.security:def:54380	P	shim on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24668	P	Security update for texlive (Moderate)	2020-12-01
oval:org.opensuse.security:def:53164	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:24469	P	Security update for elfutils (Low)	2020-12-01
oval:org.opensuse.security:def:24749	P	Security update for libmspack (Moderate)	2020-12-01
oval:org.opensuse.security:def:53304	P	Security update for freetds (Moderate)	2020-12-01
oval:org.opensuse.security:def:46164	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:24805	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:com.ubuntu.precise:def:20173063000	V	CVE-2017-3063 on Ubuntu 12.04 LTS (precise) - medium.	2017-04-12
oval:com.ubuntu.xenial:def:201730630000000	V	CVE-2017-3063 on Ubuntu 16.04 LTS (xenial) - medium.	2017-04-12
oval:com.ubuntu.trusty:def:20173063000	V	CVE-2017-3063 on Ubuntu 14.04 LTS (trusty) - medium.	2017-04-12
oval:org.opensuse.security:def:78649	P	Security update for flash-player (Important)	2017-04-12
oval:com.ubuntu.xenial:def:20173063000	V	CVE-2017-3063 on Ubuntu 16.04 LTS (xenial) - medium.	2017-04-12

BACK