Previously misidentified as two lower-level vulnerabilities CVE-2023-41064 and CVE-2023-4863, thought to be vulnerabilities in Apple iOS and Chrome, respectively, turn out to have the same root cause in libweb, which is now identified as CVE-2023-5129 and has a CVSS base score of 10.0.
libweb is an image processing library used in a wide range of products across multiple operating systems. Expect a wide range of patches for this one, including every browser, Electron apps such as Slack, Teams, and VSCode, as well as most operating systems and mobile devices.
At this time, we have not identified any methods to “globally” scan for / identify applications that have been compiled with libwebp, nor have we found any community tools that can help in this area.
We will, as always, publish patch updates for all of the operating systems and applications supported by BigFix - so watch for new patch fixlet content as they are announced.
Expect updates for all browsers, and at least Electron apps that we support (including MS Teams, Slack, VS Code, etc.)
We have some basic reporting keying off browser versions to identify vulnerable versions, has anyone coded anything any a little more comprehensive, more specifically detection of the libwebp libraries ?
Are there any scanners out there similar to Log4j ?
On the *nix side: (Bear in mind im not a *nix admin so take this with a grain of salt)
Red Hat Insights also seems to be able to do some scans for installed packages known to be vulnerable based on package version.