Updated 2nd June 2022 (IGEL OS 11.07.140 available)
First published 19th April 2022
CVSS 3.1 Base Score: 7.5 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Multiple vulnerabilities have been found in the Firefox ESR Browser. This affects the following IGEL products:
IGEL OS 11
IGEL OS 10
Details
The Firefox ESR Browser used in IGEL OS is affected by seven security issues rated as high. This includes a browser window spoof using fullscreen mode (CVE-2022-26383) and a bypass for the JavaScript sandbox in iframes (CVE-2022-26384). Another vulnerability affects the verification of add-on signatures: When installing an add-on, Firefox verifies the signature before prompting the user; but while the user is confirming the prompt, the underlying add-on file can be modified, and Firefox would not notice (CVE-2022-26387). The other defects concern memory safety. A full list of CVEs is available in the Mozilla advisories listed in "References".
Mitigation
CVE-2022-26387 can be mitigated by not installing new add-ons until a fixed version of Firefox ESR has been installed.
Update Instructions
IGEL OS 11: Update to IGEL OS version 11.07.140 or newer.
IGEL OS 10: Upgrade to IGEL OS version 11.07.140 or newer.