Advisory: libwebp critical vulnerability

← Back to Security Advisories Overview
Informational
CVE(s)
CVE-2023-4863
Updated:
Product(s)
Cloud Optix
Intercept X Endpoint
Intercept X for Server
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos RED
Sophos Switch
Sophos UTM
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
Publication ID: sophos-sa-20231002-libwebp-vuln
Article Version: 2
First Published:
Workaround: No

Overview

On Wednesday September 13, 2023, the WebP project released version 1.3.2 of libwebp containing a fix for a critical severity vulnerability. The vulnerability has been exploited in some industry applications but we have no indication that any Sophos products are affected at this point.

Libwebp is a codec library for handling WebP media streams and is, among others, integrated in the Chrome browser and all its derivatives. As a result, a large number of industry applications are potentially affected by this vulnerability.

Patches for libwebp

The fix is included in the following releases:

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Product or Service

Status

Description

Sophos Cloud Optix

Not affected

Component not present

SG UTM (all versions)

Not affected

Component not present

Sophos Central

Not affected

Vulnerable code not in execute path

Sophos Endpoint protection (Windows)

Not affected

Component not present

Sophos Endpoint protection (macOS)

Not affected

Component not present

Sophos Endpoint protection (Linux)

Not affected

Vulnerable code not in execute path

Sophos Email

Not affected

Component not present

Sophos Firewall (all versions)

Not affected

Component not present

SophosConnect client

Not affected

Component not present

Sophos Home (Windows)

Not affected

Component not present

Sophos Home (macOS)

Not affected

Component not present

Sophos Mobile

Not affected

Component not present

Sophos Mobile EAS Proxy

Not affected

Component not present

Sophos Mobile Control app (iOS + Android)

Not affected

Component not present

Sophos Intercept X for Mobile app (iOS + Android)

Not affected

Component not present

Sophos Secure Email app (iOS + Android)

Not affected

Component not present

Sophos Secure Workspace app (iOS + Android)

Not affected

Component not present

Sophos Chrome Security

Not affected

Component not present

Sophos PhishThreat

Not affected

Component not present

Sophos RED

Not affected

Component not present

Sophos AP/APX

Not affected

Component not present

Sophos Wireless

Not affected

Component not present

Sophos ZTNA

Not affected

Component not present

Sophos Switch 

Not affected

Component not present

Sophos Central Managed APX

Not affected

Component not present

SophosLabs Intelix

Not affected

Component not present

Sophos SASI (AntiSpam)

Not affected

Component not present

SAV DI

Not affected

Component not present

SUSI 

Not affected

Component not present

AV Engine (all platforms)

Not affected

Component not present