Blog

September 29, 2023

CVE-2023-4863: High Severity Vulnerability on libwebp

Javier Perez
Javier Perez

Operating Systems,

Security

CVE 2023-4863 is a critical vulnerability impacting libwebp, a popular code library. libwebp is included in open source software such as NGINX, Joomla, WordPress, Node.js and CentOS Linux versions 7 and 8. 

In this blog, learn about CVE 2023-4863 and the new security patch from OpenLogic that is available to customers with CentOS 8 long-term support

What is CVE-2023-4863?

In September 2023, Google issued a new CVE, CVE-2023-5129, with the highest CVSS severity score of 10 out of 10. On September 27, CVE-2023-5129 was rejected by NIST citing duplication with CVE-2023-4863, which now includes information about the libwebp vulnerability and critical impact.

A high-severity vulnerability, CVE-2023-4863 has a CVSS v3 score of 8.8 described as a Heap Buffer Overflow vulnerability in the WebP codec. WebP is used as an effective image file format to compress, archive, and distribute images. The libwebp library allows applications to support WebP file formats.

A Heap Buffer Overflow vulnerability arises when a program exceeds the allocated memory capacity within a dynamically assigned memory region (heap). This typically results from inadequate input validation or errors in memory administration. Malicious actors can exploit this to overwrite essential heap data structures, potentially leading to malicious program behavior.

OpenLogic Patch for CVE-2023-4863 Available

OpenLogic has published a new patch to address CVE-2023-4863 on CentOS 8. OpenLogic customers with CentOS 8 LTS receive patches for high-severity CVEs post end-of-life and this one requires immediate attention. OpenLogic customers can access the latest patch in the OpenLogic private repository. 

Need CentOS 8 Long-Term Support? 

CentOS LTS from OpenLogic includes patches for five years past EOL so you can migrate when you're ready.

Request a Quote

Additional Resources