A newly discovered critical WebP 0-day security vulnerability, identified as CVE-2023-4863, CloudLinux OS team We are actively addressing and mitigating the security issue within our software.
To summarize the impact on different CloudLinux versions:
Critical vulnerabilities associated with improperly crafted WebP images and with the potential to exploit not only the Chrome browser but also the webmproject/libwebp library from Google, have recently been identified at The University of Toronto's Munk School.
The impact of the WebP library libwebp vulnerability goes beyond web browsers and Chrome-powered applications, such as 1Password for macOS. This is of particular concern because the libwebp library is widely used across various operating systems and popular application frameworks for rendering .webp images, including the widely-used Electron framework. Consequently, the libwebp vulnerability extends to commonly used software, including Pillow, ffmpeg, and Gimp.
To exploit this vulnerability, an attacker can utilize a maliciously crafted .webp lossless file, which triggers an overflow in the vulnerable library. This could potentially lead to crashing the application or executing arbitrary code remotely, especially in web browsers that are compiled with this library.
Update the library to the following versions from the AlmaLinux (named appstream) repo:
For manual update, run:
yum update libwebp --enablerepo=appstream
It is crucial to promptly address this vulnerability by updating the libwebp library to ensure the security and stability of your system.