ISN 2024-13: Firefox ESR Vulnerabilities
First published 18 June 2024
CVSS 3.1: 7.5 (high)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Multiple security vulnerabilities have been found in the Firefox ESR web browser used in IGEL OS. This affects the following IGEL products:
IGEL OS 12
IGEL OS 11
Details
A vulnerability has been discoveres in PDF.js, the component Firefox uses to render PDF files: JavaScript embedded into the PDF document is executed in the context of the hosting domain (CVE-2024-4367, high). In IGEL OS 11 this is already mitigated by the fact that Firefox ESR opens PDF files in the external PDF viewer, but the Firefox ESR App for OS 12 is fully affected.
Further issues rated high were found in the JIT component: GetBoundName returning the wrong object (CVE-2024-3852), an out-of-bounds-read occurring after a mis-optimized switch statement (CVE-2024-3854), and potential use-after-free crashes during garbage collection (CVE-2024-3857). Additionally, a memory safety bug came to light, which showed evidence of memory corruption and could potentially be exploited to run arbitrary code (CVE-2024-3864, high).
Update Instructions
OS 12: Update to the Firefox ESR app version 115.11 or newer when it is available in the App Portal.
OS 11: Update to the upcoming IGEL OS 11.10.150.
References
MFSA 2024-22: https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/
Github-reviewed Advisory for CVE-2024-4367: https://github.com/advisories/GHSA-wgrm-67xf-hhpq
MFSA 2024-19: https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/