Vulnerability to libwebp (CVE-2023-4863)

Menno_Schepel · ‎10-02-2023

Is anything known about possible vulnerability of the ArcGIS Enterprise platform for CVE-2023-4863 (0 day libwebp)?

I know that the webp format can be used (at least in Data Interop) and maybe also within other components, so I guess the libwebp library is somewhere in the code (dependency?), which would mean that it´s vulnerable.

RandallWilliams · ‎10-17-2023

Esri's current statement regarding LibWebP is:

Esri utilizes the LibWebP library in a number of products, however they have not been demonstrated as exploitable at this time. Out of an abundance of caution, all products utilizing the LibWebP component will be updated as part of the next product release. Patches for older versions will be considered for products where there is additional risk identified.

View solution in original post

A_Wyn_Jones · ‎10-02-2023

@Menno_Schepel Please report this via https://trust.arcgis.com/en/security-concern/

This will ensure the security team and associated developers can see your concern and supply an answer.

If you have an ArcGIS Online account - you can log in to https://trust.arcgis.com/en/customer-documents/ and view further information regarding CVEs.

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."

RandallWilliams · ‎10-02-2023

Esri is aware of CVE-2023-4863, which has recently seen broad media attention due to the impact to the commonly leveraged image library libwebp.

We are also tracking CVE-2023-5217, which has not attracted as much media attention.

The libwebp library is used to process images created in the webp image format.

CVE-2023-4863 is known to have been exploited in the wild by an attacker tricking a victim into opening an HTML page that contains a specifically crafted webp image, triggering a buffer overflow.

CVE-2023-5217 is a similar issue, found in libvpx.

The libpvx library is used to process videos created with the VPX codec.

CVE-2023-5217 is also known to have been exploited in the wild.

We are investigating the impact of these vulnerabilities in these 3rd party components in our software. We encourage you to subscribe to the RSS feed on the ArcGIS Trust Center for the latest as it becomes available.

JVig · ‎10-04-2023

I am also wondering if this vulnerability is something we need to be worried about. We have run a tool to scan our AWS infrastructure and all of the nodes containing Esri Arc Server software (version 10.9.1) have been flagged as vulnerable. These nodes have nothing installed on them aside from ArcGIS server, ArcGIS Pro, the Webadaptor, and Mozilla Firefox. Other than that, they are barebones machines.

I started a ticket with Support yesterday regarding this, but I was directed here. I was hoping to be able comment on any updates to this situation as we are actively addressing it.

One final note that I found interesting: I have Arc Enterprise ecosystem as well, split between 8 different nodes using Cloud Formation templates, however, these were not flagged.

RandallWilliams · ‎10-17-2023

Esri's current statement regarding LibWebP is:

Esri utilizes the LibWebP library in a number of products, however they have not been demonstrated as exploitable at this time. Out of an abundance of caution, all products utilizing the LibWebP component will be updated as part of the next product release. Patches for older versions will be considered for products where there is additional risk identified.