The team is tracking a critical vulnerability described at https://nvd.nist.gov/vuln/detail/CVE-2023-5129
Previously misidentified as two lower-level vulnerabilities CVE-2023-41064 and CVE-2023-4863, thought to be vulnerabilities in Apple iOS and Chrome, respectively, turn out to have the same root cause in libweb, which is now identified as CVE-2023-5129 and has a CVSS base score of 10.0.
libweb is an image processing library used in a wide range of products across multiple operating systems. Expect a wide range of patches for this one, including every browser, Electron apps such as Slack, Teams, and VSCode, as well as most operating systems and mobile devices.
More to come.
Any more info to share?
At this time, we have not identified any methods to “globally” scan for / identify applications that have been compiled with libwebp, nor have we found any community tools that can help in this area.
We will, as always, publish patch updates for all of the operating systems and applications supported by BigFix - so watch for new patch fixlet content as they are announced.
Expect updates for all browsers, and at least Electron apps that we support (including MS Teams, Slack, VS Code, etc.)
That, atleast, matches with what i have figured out.
Thanks for the feedback @JasonWalker
For anyone else that finds this, this list is not exhaustive but its atleast a list of things to watch for.
This has been rejected as a Duplicate of https://nvd.nist.gov/vuln/detail/CVE-2023-4863
We have some basic reporting keying off browser versions to identify vulnerable versions, has anyone coded anything any a little more comprehensive, more specifically detection of the libwebp libraries ?
Are there any scanners out there similar to Log4j ?
Not a Scanner but:
On the *nix side: (Bear in mind im not a *nix admin so take this with a grain of salt)
Red Hat Insights also seems to be able to do some scans for installed packages known to be vulnerable based on package version.
This can also be setup in Puppet or other tools.