==================================================================== CERT-Renater Note d'Information No. 2019/VULN087 _____________________________________________________________________ DATE : 11/04/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Adobe Shockwave Player versions prior to 12.3.5.205. ===================================================================== https://helpx.adobe.com/security/products/shockwave/apsb19-20.html _____________________________________________________________________ Adobe Security Bulletin Security update available for Adobe Shockwave Player | APSB19-20 +-------------------------+--------------------------------+------------------+ |Bulletin ID |Date Published |Priority | +-------------------------+--------------------------------+------------------+ |APSB19-20 |April 09, 2019 |2 | +-------------------------+--------------------------------+------------------+ Summary Adobe has released a security update for Adobe Shockwave Player for Windows. This update resolves multiple critical memory corruption vulnerabilities that could lead to arbitrary code execution in the context of the current user. Affected product version +----------------------+----------------------+----------------------+ | Product | Version | Platform | +----------------------+----------------------+----------------------+ |Adobe Shockwave Player|12.3.4.204 and earlier|Windows | +----------------------+----------------------+----------------------+ Solution Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version by following the instructions below: +------------------+----------+--------+------------+-------------------------+ | Product | Version |Platform| Priority | Availability | | | | | rating | | +------------------+----------+--------+------------+-------------------------+ |Adobe Shockwave |12.3.5.205|Windows |2 |Shockwave Player Download| |Player | | | |Center | +------------------+----------+--------+------------+-------------------------+ Note: o Beginning with version 12.3.5.205, support for .dir (director movie extension) has been removed from the player. o Shockwave will be retired on April 9, 2019. For more information visit Shockwave End of Life HelpX FAQ Vulnerability Details +------------------------+--------------------------+----------+--------------+ |Vulnerability Category |Vulnerability Impact |Severity |CVE Number| +------------------------+--------------------------+----------+--------------+ |Memory Corruption |Arbitrary Code Execution |Critical |CVE-2019-7098 | +------------------------+--------------------------+----------+--------------+ |Memory Corruption |Arbitrary Code Execution |Critical |CVE-2019-7099 | +------------------------+--------------------------+----------+--------------+ |Memory Corruption |Arbitrary Code Execution |Critical |CVE-2019-7100 | +------------------------+--------------------------+----------+--------------+ |Memory Corruption |Arbitrary Code Execution |Critical |CVE-2019-7101 | +------------------------+--------------------------+----------+--------------+ |Memory Corruption |Arbitrary Code Execution |Critical |CVE-2019-7102 | +------------------------+--------------------------+----------+--------------+ |Memory Corruption |Arbitrary Code Execution |Critical |CVE-2019-7103 | +------------------------+--------------------------+----------+--------------+ |Memory Corruption |Arbitrary Code Execution |Critical |CVE-2019-7104 | +------------------------+--------------------------+----------+--------------+ Acknowledgments Adobe would like to thank Honggang Ren of Fortinet's FortiGuard Labs for reporting this issue and for working with Adobe to help protect our customers. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================