September 29, 2023

CVE-2023-4863: Critical Vulnerability on libwebp

Operating Systems
Security

CVE 2023-4863 is a critical vulnerability impacting libwebp, a popular code library. libwebp is included in open source software such as NGINX, Joomla, WordPress, Node.js and CentOS Linux versions 7 and 8. 

In this blog, learn about CVE 2023-4863 and the new security patch from OpenLogic that is available to customers with CentOS 8 long-term support

What is CVE-2023-4863?

Google issued a new CVE, CVE-2023-5129, with the highest CVSS severity score of 10 out of 10, that score is considered the most critical exploitable vulnerability in software. On September 27, CVE-2023-5129 was rejected citing duplication with CVE-2023-4863 which now includes information about the libwebp vulnerability and critical impact.

Still a high-severity vulnerability, CVE-2023-4863 has a CVSS v3 score of 8.8 described as a Heap Buffer Overflow vulnerability in the WebP codec. WebP is used as an effective image file format to compress, archive, and distribute images. The libwebp library allows applications to support WebP file formats.

A Heap Buffer Overflow vulnerability arises when a program exceeds the allocated memory capacity within a dynamically assigned memory region (heap). This typically results from inadequate input validation or errors in memory administration. Malicious actors can exploit this to overwrite essential heap data structures, potentially leading to malicious program behavior.

OpenLogic Patch for CVE-2023-4863 Available

OpenLogic has published a new patch to address CVE-2023-4863 on CentOS 8. OpenLogic customers with CentOS 8 LTS receive patches for high-severity CVEs post end-of-life and this one requires immediate attention. OpenLogic customers can access the latest patch in the OpenLogic private repository. 

Need CentOS 8 Long-Term Support? 

OpenLogic LTS provides support for five years past EOL, with technical support and professional services. 

Get Support for CentOS 8

Additional Resources