=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN546
_____________________________________________________________________

DATE                      : 21/12/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe Flash Media Server.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb09-18.html
______________________________________________________________________

Security update available for Flash Media Server

Release date: December 18, 2009

Vulnerability identifier: APSB09-18

CVE number: CVE-2009-3791, CVE-2009-3792

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in Adobe Flash Media Server (FMS)
3.5.2 and earlier versions. The vulnerabilities could allow an attacker, who
successfully exploits the vulnerabilities, to run malicious code on the
affected system. Adobe has provided a solution for the reported
vulnerabilities. It is recommended that users update their installations using
the instructions provided below.

Affected software versions

Flash Media Server 3.5.2 and earlier versions

Solution

Adobe recommends Flash Media Server (FMS) users install FMS version 3.5.3
available here: http://www.adobe.com/support/flashmediaserver/downloads_updaters.html.

Severity rating

Adobe categorizes this as a critical update and recommends that users apply the
update for their product installations.

Details

Critical vulnerabilities have been identified in Adobe Flash Media Server (FMS)
3.5.2 and earlier versions. The vulnerabilities could allow an attacker, who
successfully exploits the vulnerabilities, to run malicious code on the affected
system. Adobe has provided a solution for the reported vulnerabilities. It is
recommended that users update their installations using the instructions
provided above.

This update resolves a resource exhaustion vulnerability that could could lead
to a Denial of Service (DoS) (CVE-2009-3791).

This update resolves a directory traversal vulnerability that could lead to FMS
loading arbitrary DLLs present on the server. (CVE-2009-3792).

Acknowledgments

Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers:

    * Dirk Neely of Stickam (CVE-2009-3791)
    * Bjrn Frbe of Daimler TSS (CVE-2009-3792)


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================