ISN 2024-08: Firefox ESR Vulnerabilities
First published 26 March 2024
CVSS 3.1: 9.8 (critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Multiple security vulnerabilities have been found in the Firefox ESR web browser used in IGEL OS. This affects the following IGEL products:
- IGEL OS 12
- IGEL OS 11
Details
Among the vulnerabilities found, one is rated as critical: An attacker might be able to inject an event handler into a privileged object, which may enable them to execute arbitrary code (CVE-2024-29944).
Apart from that, several issues rated as high have been identified. Several methods could have experienced integer overflows, causing underallocation of an output buffer, and leading to an out-of-bounds write (CVE-2024-2608). An out-of-bounds memory read was discovered in networking channels (CVE-2024-1546). ICU can be affected by resource exhaustion (CVE-2024-2616), and a TLS method in NSS can cause a potentially exploitable crash (CVE-2024-0743). Another issue enables an attacker to spoof an alert dialog on another site (CVE-2024-1547). Memory safety bugs conclude the list (CVE-2024-1553, CVE-2024-2614).
Update Instructions
- OS 12: Update the OS 12 Firefox ESR App to version 115.9.1 when it is available on the IGEL App Portal.
- OS 11: Update to IGEL 11.09.310 when it is available.