ISN 2024-03: Firefox ESR Vulnerabilities

First published 31 January 2024

CVSS 3.1: 8.8 (High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Multiple security vulnerabilities have been found in the Firefox ESR web browser used in IGEL OS. This affects the following IGEL products:

• IGEL OS 11

Details

The WebGL DrawElementsInstanced method in Firefox ESR is susceptible to a heap buffer overflow when used on systems with the Mesa VM driver (typically used when running on VMware virtualization). This issue is rated high, as it could allow an attacker to perform remote code execution and sandbox escape (CVE-2023-6856). Additionally, ownership mismanagement leads to a use-after-free in ReadableByteStreams that is also rated as high (CVE-2023-6207).

Apart from that, multiple memory management vulnerabilities have been found that are rated as medium.

Update Instructions

• IGEL OS 11: IGEL is preparing an IGEL OS 11 release with an updated Firefox ESR version.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-6856
• https://nvd.nist.gov/vuln/detail/CVE-2023-6207
• https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/