ISN 2023-25: Webkit Vulnerabilities

Updated 19th October 2023 (Citrix Self-Service compatibility)

First published 18th October 2023

CVSS 3.1: 9.8 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Multiple vulnerabilities have been discovered in the Webkit browser engine. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

Multiple vulnerabilities have been found in Webkit. They could allow a remote attacker to execute arbitrary code on the local operating system when the user visits malicious web content. One vulnerability (CVE-2023-41993) is graded as critical, and Apple is aware of a report that it may have been actively exploited. The other two issues (CVE-2023-39928, CVE-2023-41074) are graded as high.

Update Instructions

• OS 12: Update to OS 12 base system version 12.2.1 (scheduled for 26 October 2023)

• OS 11: Update to OS 11.09.110

  

  For compatibility reasons with Citrix Self-Service, the Citrix Workspace App in OS 11.09.110 uses older Webkit that suffers from these vulnerabilities. However, the risk is mitigated by the fact that Citrix Self-Service does not open arbitrary web pages, but only pages from the customer’s Citrix infrastructure. The rest of the system uses the updated Webkit with the security fixes.

References

• CVE-2023-41993: https://nvd.nist.gov/vuln/detail/CVE-2023-41993
• CVE-2023-39928: https://nvd.nist.gov/vuln/detail/CVE-2023-39928
• CVE-2023-41074: https://nvd.nist.gov/vuln/detail/CVE-2023-41074