製品・ソフトウェアに関する情報

JVN脆弱性詳細

Adobe Flash Player および Adobe AIR におけるヒープベースのバッファオーバーフローの脆弱性

Title	Adobe Flash Player および Adobe AIR におけるヒープベースのバッファオーバーフローの脆弱性
Summary	Adobe Flash Player および Adobe AIR には、ヒープベースのバッファオーバーフローの脆弱性が存在します。
Possible impacts	第三者により、SWF ファイルの JPEG データの不正な領域を介して、任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 8, 2009, midnight
Registration Date	Jan. 19, 2010, 3:52 p.m.
Last Update	Feb. 9, 2010, 12:35 p.m.

CVSS2.0 : 危険
Score	9.3
Vector	AV:N/AC:M/Au:N/C:C/I:C/A:C

Affected System

サン・マイクロシステムズ

OpenSolaris (sparc)

OpenSolaris (x86)

Sun Solaris 10 (sparc)

Sun Solaris 10 (x86)

レッドハット

Red Hat Enterprise Linux Extras 3 extras

Red Hat Enterprise Linux Extras 4 extras

Red Hat Enterprise Linux Extras 4.8.z extras

RHEL Desktop Supplementary 5 (client)

RHEL Supplementary 5 (server)

RHEL Supplementary EUS 5.4.z (server)

アドビシステムズ

Adobe AIR 1.5.2 およびそれ以前

Adobe Flash Player 10.0.32.18 およびそれ以前

アップル

Apple Mac OS X v10.5.8

Apple Mac OS X v10.6.2

Apple Mac OS X Server v10.5.8

Apple Mac OS X Server v10.6.2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-3794	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3794
National Vulnerability Database (NVD)
2	CVE-2009-3794	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3794

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Adobe Security Bulletin
1	APSB09-19	http://www.adobe.com/support/security/bulletins/apsb09-19.html
Adobe セキュリティ情報
2	APSB09-19	http://www.adobe.com/jp/support/security/bulletins/apsb09-19.html
Apple Security Updates
3	HT4004	http://support.apple.com/kb/HT4004
Apple セキュリティアップデート
4	HT4004	http://support.apple.com/kb/HT4004?viewlocale=ja_JP
Red Hat Security Advisory
5	RHSA-2009:1657	https://rhn.redhat.com/errata/RHSA-2009-1657.html
6	RHSA-2009:1658	https://rhn.redhat.com/errata/RHSA-2009-1658.html
Sun Alert Notification
7	274250	http://sunsolve.sun.com/search/document.do?assetkey=1-66-274250-1
レッドハットセキュリティーアップデート
8	RHSA-2009:1657	https://www.jp.redhat.com/support/errata/RHSA/RHSA-2009-1657J.html
富士通セキュリティ情報
9	TA09-343A	http://software.fujitsu.com/jp/security/vulnerabilities/ta09-343a.html

その他

No	Name	URL
ISS X-Force Database
1	54631	http://xforce.iss.net/xforce/xfdb/54631
JPCERT 緊急報告
2	JPCERT-AT-2009-0026	http://www.jpcert.or.jp/at/2009/at090026.txt
JVN
3	JVNTA09-343A	http://jvn.jp/cert/JVNTA09-343A/
JVN Status Tracking Notes
4	JVNTR-2009-28	http://jvn.jp/tr/JVNTR-2009-28/index.html
OPEN SOURCE VULNERABILITY DATABASE (OSVDB)
5	60885	http://osvdb.org/60885
Secunia Advisory
6	SA37584	http://secunia.com/advisories/37584
SecurityFocus
7	37266	http://www.securityfocus.com/bid/37266
SecurityTracker
8	1023306	http://securitytracker.com/id?1023306
9	1023307	http://securitytracker.com/id?1023307
US-CERT Cyber Security Alerts
10	SA09-343A	http://www.us-cert.gov/cas/alerts/SA09-343A.html
US-CERT Technical Cyber Security Alert
11	TA09-343A	http://www.us-cert.gov/cas/techalerts/TA09-343A.html
VUPEN Security
12	VUPEN/ADV-2009-3456	http://www.vupen.com/english/advisories/2009/3456
警察庁 @police
13	アドビシステムズ社の Adobe Flash Player および Adobe AIR のセキュリティ修正プログラムについて	http://www.npa.go.jp/cyberpolice/#topics

Change Log

No	Changed Details	Date of change
0	[2010年01月19日] 掲載 [2010年02月09日] 影響を受けるシステム：アップル (HT4004) の情報を追加ベンダ情報：アップル (HT4004) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-3794

Summary	Heap-based buffer overflow in Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 allows remote attackers to execute arbitrary code via crafted dimensions of JPEG data in an SWF file.
Publication Date	Dec. 11, 2009, 4:30 a.m.
Registration Date	Jan. 29, 2021, 1:24 p.m.
Last Update	Oct. 31, 2018, 1:26 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:adobe:adobe_air:1.0:::::::*
cpe:2.3:a:adobe:adobe_air:1.0.1:::::::*
cpe:2.3:a:adobe:adobe_air:1.1:::::::*
cpe:2.3:a:adobe:adobe_air:1.5.1:::::::*
cpe:2.3:a:adobe:adobe_air::::::::		1.5.2
cpe:2.3:a:adobe:flash_player:7.0:::::::*
cpe:2.3:a:adobe:flash_player:7.0.1:::::::*
cpe:2.3:a:adobe:flash_player:7.0.25:::::::*
cpe:2.3:a:adobe:flash_player:7.0.63:::::::*
cpe:2.3:a:adobe:flash_player:7.0.69.0:::::::*
cpe:2.3:a:adobe:flash_player:7.0.70.0:::::::*
cpe:2.3:a:adobe:flash_player:7.1:::::::*
cpe:2.3:a:adobe:flash_player:7.1.1:::::::*
cpe:2.3:a:adobe:flash_player:7.2:::::::*
cpe:2.3:a:adobe:flash_player:8::pro:::::
cpe:2.3:a:adobe:flash_player:8::professional:::::
cpe:2.3:a:adobe:flash_player:8.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0::basic:::::
cpe:2.3:a:adobe:flash_player:8.0::pro:::::
cpe:2.3:a:adobe:flash_player:8.0.24.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.34.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.35.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.39.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.16:::::::*
cpe:2.3:a:adobe:flash_player:9.0.18d60:::::::*
cpe:2.3:a:adobe:flash_player:9.0.20:::::::*
cpe:2.3:a:adobe:flash_player:9.0.20.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.28:::::::*
cpe:2.3:a:adobe:flash_player:9.0.28.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.31:::::::*
cpe:2.3:a:adobe:flash_player:9.0.31.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.45.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.47.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.112.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.114.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.115.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.124.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.155.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.159.0:::::::*
cpe:2.3:a:adobe:flash_player:9.125.0:::::::*
cpe:2.3:a:adobe:flash_player:10.0.0.584:::::::*
cpe:2.3:a:adobe:flash_player:10.0.12.10:::::::*
cpe:2.3:a:adobe:flash_player:10.0.12.36:::::::*
cpe:2.3:a:adobe:flash_player:10.0.22.87:::::::*
cpe:2.3:a:adobe:flash_player::::::::		10.0.32.18

Related information, measures and tools

No	URL	refsource	タグ
1	http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.html	APPLE
2	http://lists.opensuse.org/opensuse-security-announce/2009-12/msg00003.html	SUSE
3	http://osvdb.org/60885	OSVDB
4	http://secunia.com/advisories/37584	SECUNIA	Vendor Advisory
5	http://secunia.com/advisories/37902	SECUNIA
6	http://secunia.com/advisories/38241	SECUNIA
7	http://securitytracker.com/id?1023306	SECTRACK
8	http://securitytracker.com/id?1023307	SECTRACK
9	http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021716.1-1	SUNALERT
10	http://support.apple.com/kb/HT4004	CONFIRM
11	http://www.adobe.com/support/security/bulletins/apsb09-19.html	CONFIRM	Patch Vendor Advisory
12	http://www.redhat.com/support/errata/RHSA-2009-1657.html	REDHAT
13	http://www.redhat.com/support/errata/RHSA-2009-1658.html	REDHAT	Patch
14	http://www.securityfocus.com/archive/1/508336/100/0/threaded	BUGTRAQ
15	http://www.securityfocus.com/bid/37199	BID
16	http://www.us-cert.gov/cas/techalerts/TA09-343A.html	CERT	US Government Resource
17	http://www.vupen.com/english/advisories/2009/3456	VUPEN	Patch Vendor Advisory
18	http://www.vupen.com/english/advisories/2010/0173	VUPEN
19	http://zerodayinitiative.com/advisories/ZDI-09-092/	MISC	Patch
20	https://bugzilla.redhat.com/show_bug.cgi?id=543857	CONFIRM
21	https://exchange.xforce.ibmcloud.com/vulnerabilities/54631	XF
22	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15948	OVAL
23	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7465	OVAL
24	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8686	OVAL

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:adobe:adobe_air:1.0:::::::*
cpe:2.3:a:adobe:adobe_air:1.0.1:::::::*
cpe:2.3:a:adobe:adobe_air:1.1:::::::*
cpe:2.3:a:adobe:adobe_air:1.5.1:::::::*
cpe:2.3:a:adobe:adobe_air::::::::		1.5.2
cpe:2.3:a:adobe:flash_player:7.0:::::::*
cpe:2.3:a:adobe:flash_player:7.0.1:::::::*
cpe:2.3:a:adobe:flash_player:7.0.25:::::::*
cpe:2.3:a:adobe:flash_player:7.0.63:::::::*
cpe:2.3:a:adobe:flash_player:7.0.69.0:::::::*
cpe:2.3:a:adobe:flash_player:7.0.70.0:::::::*
cpe:2.3:a:adobe:flash_player:7.1:::::::*
cpe:2.3:a:adobe:flash_player:7.1.1:::::::*
cpe:2.3:a:adobe:flash_player:7.2:::::::*
cpe:2.3:a:adobe:flash_player:8::pro:::::
cpe:2.3:a:adobe:flash_player:8::professional:::::
cpe:2.3:a:adobe:flash_player:8.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0::basic:::::
cpe:2.3:a:adobe:flash_player:8.0::pro:::::
cpe:2.3:a:adobe:flash_player:8.0.24.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.34.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.35.0:::::::*
cpe:2.3:a:adobe:flash_player:8.0.39.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.16:::::::*
cpe:2.3:a:adobe:flash_player:9.0.18d60:::::::*
cpe:2.3:a:adobe:flash_player:9.0.20:::::::*
cpe:2.3:a:adobe:flash_player:9.0.20.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.28:::::::*
cpe:2.3:a:adobe:flash_player:9.0.28.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.31:::::::*
cpe:2.3:a:adobe:flash_player:9.0.31.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.45.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.47.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.112.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.114.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.115.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.124.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.155.0:::::::*
cpe:2.3:a:adobe:flash_player:9.0.159.0:::::::*
cpe:2.3:a:adobe:flash_player:9.125.0:::::::*
cpe:2.3:a:adobe:flash_player:10.0.0.584:::::::*
cpe:2.3:a:adobe:flash_player:10.0.12.10:::::::*
cpe:2.3:a:adobe:flash_player:10.0.12.36:::::::*
cpe:2.3:a:adobe:flash_player:10.0.22.87:::::::*
cpe:2.3:a:adobe:flash_player::::::::		10.0.32.18