Advisory: libwebp critical vulnerability

Sophos Security Advisory

Advisory: libwebp critical vulnerability
MoritzGrimm

Summary

Overview

On Wednesday September 13, 2023, the WebP project released version 1.3.2 of libwebp containing a fix for a critical severity vulnerability. The vulnerability has been exploited in some industry applications but we have no indication that any Sophos products are affected at this point.

Libwebp is a codec library for handling WebP media streams and is, among others, integrated in the Chrome browser and all its derivatives. As a result, a large number of industry applications are potentially affected by this vulnerability.

Patches for libwebp

The fix is included in the following releases:

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Product or ServiceStatusDescription
Sophos Cloud OptixNot affectedComponent not present
Sophos Appliance ManagerUnder investigation
SG UTM (all versions)Not affectedComponent not present
Sophos CentralNot affected
Sophos Endpoint protection (Windows)Not affectedComponent not present
Sophos Endpoint protection (macOS)Under investigation
Sophos Endpoint protection (Linux)Not affectedVulnerable code not in execute path
Sophos EmailNot affectedComponent not present
Sophos Firewall (all versions)Not affectedComponent not present
SophosConnect clientNot affectedComponent not present
Sophos Home (Windows)Not affectedComponent not present
Sophos Home (macOS)Under investigation
Sophos MobileNot affectedComponent not present
Sophos Mobile EAS ProxyNot affectedComponent not present
Sophos Mobile Control app (iOS + Android)Not affectedComponent not present
Sophos Intercept X for Mobile app (iOS + Android)Not affectedComponent not present
Sophos Secure Email app (iOS + Android)Not affectedComponent not present
Sophos Secure Workspace app (iOS + Android)Not affectedComponent not present
Sophos Chrome SecurityNot affectedComponent not present
Sophos PhishThreatNot affectedComponent not present
Sophos REDNot affectedComponent not present
Sophos AP/APXNot affectedComponent not present
Sophos WirelessNot affectedComponent not present
Sophos ZTNANot affectedComponent not present
Sophos SwitchNot affectedComponent not present
Sophos Central Managed APXNot affectedComponent not present
SophosLabs IntelixNot affectedComponent not present
Sophos SASI (AntiSpam)Not affectedComponent not present
SAV DINot affectedComponent not present
SUSINot affectedComponent not present
AV Engine (all platforms)Not affectedComponent not present

Other products and services

Any other products or services not listed above are still under investigation. Sophos will publish updated information as it becomes available.

Severity
Informational
First Published
Updated
Publication ID
sophos-sa-20231002-libwebp-vuln
Workaround
No
Cloud Optix
Intercept X Endpoint
Intercept X for Server
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos RED
Sophos Switch
Sophos UTM
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
CVE-2023-4863
Article Version
1

READ MORE