ISN 2023-32: Chromium Vulnerabilities

Updated 16 January 2024 (fixed versions)

First published 12 December 2023

CVSS 3.1: 8.3 (High)

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F

Summary

Multiple security vulnerabilities have been found in the Chromium web browser used in IGEL OS. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

An integer overflow has been found in Chromium’s 2D graphics library Skia that could allow a remote attacker to escape the sandbox via a malicious file. Google reports that there is an exploit for this issue being used in the wild, and the vulnerability is rated as high (CVE-2023-6345). Also, six further issues rated high have been reported that concern memory management vulnerabilities.

Update Instructions

• OS 12: An updated Chromium app is available from the IGEL App Portal.
• OS 11: Update to private build 11.09.151, which is available on request from IGEL Support or to IGEL OS 11.09.160, which is publicly available.

References

• CVE-2023-6345: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6345
• Google Chrome Releases: Stable Channel Update for Desktop: https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html