Google Chrome < 38.0.2125.104 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 8551

Synopsis

The remote host has a web browser installed that is unpatched for multiple vulnerabilities.

Description

In addition to missing the security updates to Google V8 Javascript engine, versions of Google Chrome prior to 38.0.2125.104 are vulnerable to the following issues:

- A flaw exists in V8 and IPC that can lead to remote code execution. (CVE-2014-3188)

- Out-of-bounds read errors exist in PDFium. (CVE-2014-3189, CVE-2014-3198)

- Use-after-free errors exist in Events, Rendering, DOM, and Web Workers. (CVE-2014-3190, CVE-2014-3191, CVE-2014-3192, CVE-2014-3194)

- A type confusion error exists in Session Management. (CVE-2014-3193)

- Information leak vulnerabilities exist in the V8 JavaScript engine and the XSS Auditor. (CVE-2014-3195, CVE-2014-3197)

- A security bypass vulnerability exists in the Windows Sandbox. (CVE-2014-3196)

- An error exists related to assertion of bindings in the V8 JavaScript engine. (CVE-2014-3199)

- Multiple unspecified vulnerabilities exist. (CVE-2014-3200)

Note that while version 38.0.2125.101 contains fixes for these issues, it does not include security updates for the built-in Adobe Flash engine, which is released with version 38.0.2125.104.

Solution

Update the Chrome browser to 38.0.2125.104, or later. (Version 38.0.2125.101 fixes all of these vulnerabilities but does not include updates to the built-in Flash engine.)

See Also

http://googlechromereleases.blogspot.com/2014/10/stable-channel-update_14.html

http://googlechromereleases.blogspot.com/2014/10/stable-channel-update.html

Plugin Details

Severity: High

ID: 8551

Family: Web Clients

Published: 2014/10/15

Modified: 2016/01/19

Dependencies: 4645

Nessus ID: 78080, 78081

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.7

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:google:chrome

Patch Publication Date: 2014/10/14

Vulnerability Publication Date: 2014/10/07

Reference Information

CVE: CVE-2014-3188, CVE-2014-3189, CVE-2014-3190, CVE-2014-3191, CVE-2014-3192, CVE-2014-3193, CVE-2014-3194, CVE-2014-3195, CVE-2014-3196, CVE-2014-3197, CVE-2014-3198, CVE-2014-3199, CVE-2014-3200, CVE-2014-7967

BID: 70262, 70273, 70587