Heap Buffer Overflow Vulnerabilties in Libwebp and Libvpx
Content

Priority: Moderate

Status: In Progress

 

First Published: 6 October 2023

Advisory Version: 1.2

References: CVE-2023-4863CVE-2023-5217

 

Summary

Google recently announced heap buffer overflow vulnerabilities in certain versions of the libwebp and libvpx libraries.

The libwebp library is used to render WebP graphics file format images and can be found in Google's Chrome web browser as well as other applications and software frameworks that render the WebP image format. The libvbpx library is used to implement the VP8 and VP9 video coding formats and is widely used in content delivery.

These vulnerabilities (currently evaluated by CVE-2023-4863 for libwebp and  CVE-2023-5217 for libvpx) could allow an attacker, via crafted input, to cause a heap buffer overflow, potentially allowing malicious code execution or unauthorized access.

Affected Products

Vulnerable Products

Hitachi Vantara is currently investigating its product lines to determine if any are affected by these vulnerabilities. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding mitigations or fixed release versions (if such information is available at the time). Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.

NOTE: Cited product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.

 

Products Confirmed Not Vulnerable

* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk, as additional information pertaining to CVE-2023-4863 and CVE-2023-5217 is released.

Product Notes / Fixed Release Version
Storage Systems
Hitachi Virtual Storage Platform VSP 5100,  VSP 5100H,  VSP 5500, VSP 5500H
(VSP 5x00) RAID 900
CVE-2023-4863: Not affected *
CVE-2023-5217: Not affected *

* Though an affected version of Microsoft Edge is part of the Windows 10 Enterprise LTSC 2021 operating system, the Edge browser is not used, nor is necessary, for any functions on the array.
Hitachi Virtual Storage Platform VSP 5200,  VSP 5200H,  VSP 5600, VSP 5600H
(VSP 5x00) RAID 10K
CVE-2023-4863: Not affected *
CVE-2023-5217: Not affected *

* Though an affected version of Microsoft Edge is part of the Windows 10 Enterprise LTSC 2021 operating system, the Edge browser is not used, nor is necessary, for any functions on the array.
SVP3
(i.e. storage arrays managed by the optional SVP3 hardware unit)
CVE-2023-4863: Not affected *
CVE-2023-5217: Not affected *

* Though an affected version of Microsoft Edge is part of the Windows 10 Enterprise LTSC 2021 operating system, the Edge browser is not used, nor is necessary, for any functions on the array.
Content Products
Hitachi Data Ingestor (HDI/HFSM) CVE-2023-4863: Not affected. Neither Google Chrome nor the libwebp library is used or embedded.
CVE-2023-5217: Not affected. Neither Google Chrome nor the libvpx library is used or embedded.
Content Platform CVE-2023-4863: Not affected. Neither Google Chrome nor the libwebp library is used or embedded.
CVE-2023-5217: Not affected. Neither Google Chrome nor the libvpx library is used or embedded.
Content Platform Anywhere CVE-2023-4863: Not affected. Neither Google Chrome nor the libwebp library is used or embedded.
CVE-2023-5217: Not affected. Neither Google Chrome nor the libvpx library is used or embedded.
Content Platform Anywhere Enterprise CVE-2023-4863: Not affected. Neither Google Chrome nor the libwebp library is used or embedded.
CVE-2023-5217: Not affected. Neither Google Chrome nor the libvpx library is used or embedded.
Content Platform S Series CVE-2023-4863: Not affected. Neither Google Chrome nor the libwebp library is used or embedded.
CVE-2023-5217: Not affected. Neither Google Chrome nor the libvpx library is used or embedded.
HCP for Cloud Scale CVE-2023-4863: Not affected. Neither Google Chrome nor the libwebp library is used or embedded.
CVE-2023-5217: Not affected. Neither Google Chrome nor the libvpx library is used or embedded.
Content Intelligence CVE-2023-4863: Not affected. Neither Google Chrome nor the libwebp library is used or embedded.
CVE-2023-5217: Not affected. Neither Google Chrome nor the libvpx library is used or embedded.
Hitachi Content Software for File CVE-2023-4863: Not affected. Neither Google Chrome nor the libwebp library is used or embedded.
CVE-2023-5217: Not affected. Neither Google Chrome nor the libvpx library is used or embedded.
Software Products
Hitachi Virtual Storage Software Block (VSSB) · CVE-2023-4863: Not affected. Neither Google Chrome nor the libwebp library is used or embedded.
· CVE-2023-5217: Not affected. Neither Google Chrome nor the libvpx library is used or embedded.

Recommended Actions

Please continue to check this Security Advisory, as new information will be added to it as it becomes available.

 

If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.

Attachments
CXone Metadata

Tags: CVE,pagetype:knowledgearticle,article:cve

PageID: 180287