National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-2189)

National Cyber Awareness System

Vulnerability Summary for CVE-2010-2189

Original release date:06/15/2010

Last revised:02/02/2011

Source: US-CERT/NIST

Overview

Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, when used in conjunction with VMWare Tools on a VMWare platform, allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.

Description

Per:http://www.adobe.com/support/security/bulletins/apsb10-14.html 'This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2189). Note: This issue occurs only on VMWare systems with VMWare Tools enabled.'

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Technical Alert: TA10-162A

Name: TA10-162A

Hyperlink:http://www.us-cert.gov/cas/techalerts/TA10-162A.html

External Source: CONFIRM

Name: http://www.adobe.com/support/security/bulletins/apsb10-14.html

Type: Advisory; Patch Information

Hyperlink:http://www.adobe.com/support/security/bulletins/apsb10-14.html

External Source: XF

Name: adobe-fpair-vmware-code-execution(59338)

Hyperlink:http://xforce.iss.net/xforce/xfdb/59338

External Source: VUPEN

Name: ADV-2011-0192

Hyperlink:http://www.vupen.com/english/advisories/2011/0192

External Source: VUPEN

Name: ADV-2010-1793

Hyperlink:http://www.vupen.com/english/advisories/2010/1793

External Source: VUPEN

Name: ADV-2010-1522

Hyperlink:http://www.vupen.com/english/advisories/2010/1522

External Source: VUPEN

Name: ADV-2010-1482

Hyperlink:http://www.vupen.com/english/advisories/2010/1482

External Source: VUPEN

Name: ADV-2010-1434

Hyperlink:http://www.vupen.com/english/advisories/2010/1434

External Source: VUPEN

Name: ADV-2010-1421

Hyperlink:http://www.vupen.com/english/advisories/2010/1421

External Source: TURBO

Name: TLSA-2010-19

Hyperlink:http://www.turbolinux.co.jp/security/2010/TLSA-2010-19j.txt

External Source: BID

Name: 40799

Hyperlink:http://www.securityfocus.com/bid/40799

External Source: BID

Name: 40759

Hyperlink:http://www.securityfocus.com/bid/40759

External Source: CONFIRM

Name: http://support.apple.com/kb/HT4435

Hyperlink:http://support.apple.com/kb/HT4435

External Source: SECTRACK

Name: 1024086

Hyperlink:http://securitytracker.com/id?1024086

External Source: SECTRACK

Name: 1024085

Hyperlink:http://securitytracker.com/id?1024085

External Source: GENTOO

Name: GLSA-201101-09

Hyperlink:http://security.gentoo.org/glsa/glsa-201101-09.xml

External Source: SECUNIA

Name: 43026

Hyperlink:http://secunia.com/advisories/43026

External Source: SECUNIA

Name: 40545

Hyperlink:http://secunia.com/advisories/40545

External Source: SECUNIA

Name: 40144

Hyperlink:http://secunia.com/advisories/40144

External Source: OVAL

Name: oval:org.mitre.oval:def:6991

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:6991

External Source: SUSE

Name: SUSE-SR:2010:013

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html

External Source: SUSE

Name: SUSE-SA:2010:024

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00000.html

External Source: APPLE

Name: APPLE-SA-2010-11-10-1

Hyperlink:http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html

External Source: HP

Name: HPSBMA02547

Hyperlink:http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751

External Source: HP

Name: HPSBMA02547

Hyperlink:http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751

References to Check Content

Identifier:oval:org.mitre.oval:def:6991

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6991

Vulnerable software and versions

Configuration 1

* cpe:/a:adobe:flash_player:9.0.260.0

* cpe:/a:adobe:flash_player:9.0.246.0

* cpe:/a:adobe:flash_player:9.0.159.0

* cpe:/a:adobe:flash_player:9.0.152.0

* cpe:/a:adobe:flash_player:9.0.151.0

* cpe:/a:adobe:flash_player:9.0.125.0

* cpe:/a:adobe:flash_player:9.0.124.0

* cpe:/a:adobe:flash_player:9.0.115.0

* cpe:/a:adobe:flash_player:9.0.48.0

* cpe:/a:adobe:flash_player:9.0.47.0

* cpe:/a:adobe:flash_player:9.0.45.0

* cpe:/a:adobe:flash_player:9.0.31.0

* cpe:/a:adobe:flash_player:9.0.31

* cpe:/a:adobe:flash_player:9.0.28.0

* cpe:/a:adobe:flash_player:9.0.20.0

* cpe:/a:adobe:flash_player:9.0.20

* cpe:/a:adobe:flash_player:9.0.16

* cpe:/a:adobe:flash_player:9.0.262.0

* cpe:/a:adobe:flash_player:9.0.28

Configuration 2

* cpe:/a:adobe:flash_player:10.0.0.584

* cpe:/a:adobe:flash_player:10.0.12.10

* cpe:/a:adobe:flash_player:10.0.12.36

* cpe:/a:adobe:flash_player:10.0.15.3

* cpe:/a:adobe:flash_player:10.0.22.87

* cpe:/a:adobe:flash_player:10.0.32.18

* cpe:/a:adobe:flash_player:10.0.42.34

* cpe:/a:adobe:flash_player:10.0.45.2 and previous versions

Configuration 3

* cpe:/a:adobe:flash_player:7

* cpe:/a:adobe:flash_player:7.0

* cpe:/a:adobe:flash_player:7.0.1

* cpe:/a:adobe:flash_player:7.0.25

* cpe:/a:adobe:flash_player:7.0.63

* cpe:/a:adobe:flash_player:7.0.69.0

* cpe:/a:adobe:flash_player:7.0.70.0

* cpe:/a:adobe:flash_player:7.1

* cpe:/a:adobe:flash_player:7.1.1

* cpe:/a:adobe:flash_player:7.2

* cpe:/a:adobe:flash_player:7.0.14.0

* cpe:/a:adobe:flash_player:7.0.19.0

* cpe:/a:adobe:flash_player:7.0.24.0

* cpe:/a:adobe:flash_player:7.0.53.0

* cpe:/a:adobe:flash_player:7.0.60.0

* cpe:/a:adobe:flash_player:7.0.61.0

* cpe:/a:adobe:flash_player:7.0.66.0

* cpe:/a:adobe:flash_player:7.0.68.0

* cpe:/a:adobe:flash_player:7.0.67.0

* cpe:/a:adobe:flash_player:7.0.73.0

* cpe:/a:adobe:flash_player:6.0.79

* cpe:/a:macromedia:flash_player:5.0.30.0

* cpe:/a:macromedia:flash_player:5.0.58.0

* cpe:/a:macromedia:flash_player:5.0.41.0

* cpe:/a:macromedia:flash_player:5.0.42.0

* cpe:/a:macromedia:flash_player:5.0

* cpe:/a:adobe:flash_player:8

* cpe:/a:adobe:flash_player:8.0

* cpe:/a:adobe:flash_player:8.0.22.0

* cpe:/a:adobe:flash_player:8.0.24.0

* cpe:/a:adobe:flash_player:8.0.33.0

* cpe:/a:adobe:flash_player:8.0.34.0

* cpe:/a:adobe:flash_player:8.0.35.0

* cpe:/a:adobe:flash_player:8.0.39.0

* cpe:/a:adobe:flash_player:8.0.42.0

Configuration 4

* cpe:/a:adobe:air:1.0

* cpe:/a:adobe:air:1.1

* cpe:/a:adobe:air:1.5

* cpe:/a:adobe:air:1.5.1

* cpe:/a:adobe:air:1.5.2

* cpe:/a:adobe:air:1.5.3

* cpe:/a:adobe:air:1.5.3.9130 and previous versions

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Buffer Errors (CWE-119)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2189