ISN 2023-20: Firefox Libwebp Vulnerability

Updated 27 September 2023 (fix version, add CVE-2023-5129)

First published 14 September 2023

CVSS 3.1: 10.0 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

A critical vulnerability has been found in the Firefox web browser. This affects the following IGEL products:

• IGEL OS 11

Details

A zero-day critical heap buffer overflow vulnerability has been found in the WebP library used by Firefox. This vulnerability can be tracked with CVE-2023-4863 and CVE-2023-5129. Apple’s Security Engineering and Architecture (SEAR) and The Citizen Lab are not publishing the details of this vulnerability as it has been seen exploited in-the-wild and they are giving time for people to update their browsers.

Update Instructions

• OS 11: Update to IGEL OS 11.09.100 (planned for 5 October 2023) with an updated Firefox.

References

• CVE-2023-4863 - https://nvd.nist.gov/vuln/detail/CVE-2023-4863
• CVE-2023-5129 - https://nvd.nist.gov/vuln/detail/CVE-2023-5129
• Mozilla’s advisory - https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/