Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
Flash Misconfiguration: Vulnerable Flash Engine
Abstract
Use of deprecated and vulnerable technology can enable attackers to compromise the target by exploiting known vulnerabilities against the detected server.
Explanation
Adobe Flash has been associated with multiple vulnerabilities since its inception. Many of which can lead to Remote Code Execution and Cross-Site Scripting attacks that can compromise user and/or system data and privacy.
Adobe has deprecated Flash with an end-of-life set to the end of 2020. Many browsers have already disabled Adobe Flash support by default, for example, starting in Chrome 76 and Firefox 69. Furthermore, starting in December 2020, Chrome, Firefox, and Microsoft Edge will completely eliminate support for Flash.
Using a deprecated, possibly vulnerable version of the player to execute an application introduces unnecessary risk. Consider updating your application to replace Adobe Flash with safer, alternative technologies that provide similar functionality such as HTML5, WebGL, and WebAssembly. Use of safe alternative technologies is critical to protect users from known player vulnerabilities including Cross-Site Scripting, and Remote Code Execution (on the client machine).
Adobe has deprecated Flash with an end-of-life set to the end of 2020. Many browsers have already disabled Adobe Flash support by default, for example, starting in Chrome 76 and Firefox 69. Furthermore, starting in December 2020, Chrome, Firefox, and Microsoft Edge will completely eliminate support for Flash.
Using a deprecated, possibly vulnerable version of the player to execute an application introduces unnecessary risk. Consider updating your application to replace Adobe Flash with safer, alternative technologies that provide similar functionality such as HTML5, WebGL, and WebAssembly. Use of safe alternative technologies is critical to protect users from known player vulnerabilities including Cross-Site Scripting, and Remote Code Execution (on the client machine).
References
[1] Flash and The Future of Interactive Content
[2] CVE Details Mitre
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 937
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[20] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
desc.dynamic.actionscript.flash_misconfiguration_vulnerable_flash_engine