Accessibility
Adobe
Sign in Privacy My Adobe

Security bulletin

Security update available for Flash Media Server

Release date: December 18, 2009

Last updated: January 28, 2010

Vulnerability identifier: APSB09-18

CVE number: CVE-2009-3791, CVE-2009-3792

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in Adobe Flash Media Server (FMS) 3.5.2 and earlier versions. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations using the instructions provided below.

Affected software versions

Flash Media Server 3.5.2 and earlier versions

Solution

Adobe recommends Flash Media Server (FMS) users install FMS version 3.5.3 available here: http://www.adobe.com/support/flashmediaserver/downloads_updaters.html.

For customers who cannot upgrade to Flash Media Server version 3.5.3, Adobe has provided the Flash Media Server 3.0.5 update, available here: http://www.adobe.com/support/flashmediaserver/downloads_updaters.html.

Severity rating

Adobe categorizes this as a critical update and recommends that users apply the update for their product installations.

Details

Critical vulnerabilities have been identified in Adobe Flash Media Server (FMS) 3.5.2 and earlier versions. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations using the instructions provided above.

This update resolves a resource exhaustion vulnerability that could could lead to a Denial of Service (DoS) (CVE-2009-3791).

This update resolves a directory traversal vulnerability that could lead to FMS loading arbitrary DLLs present on the server. (CVE-2009-3792).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

Revisions

January 28, 2010 - Bulletin updated regarding FMS v3.0.5 release information.
December 18, 2009 - Bulletin released.