.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Informational
Advisory: libwebp critical vulnerability
CVE(S)
CVE-2023-4863
PRODUCT(S)
Cloud Optix
Sophos Endpoint
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos RED
Sophos Switch
Sophos UTM
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
Updated
2023 Oct 31
Article Version
2
First Published
2023 Oct 3
Publication ID
sophos-sa-20231002-libwebp-vuln
Workaround
No
Overview
On Wednesday September 13, 2023, the WebP project released version 1.3.2 of libwebp containing a fix for a critical severity vulnerability. The vulnerability has been exploited in some industry applications but we have no indication that any Sophos products are affected at this point.
Libwebp is a codec library for handling WebP media streams and is, among others, integrated in the Chrome browser and all its derivatives. As a result, a large number of industry applications are potentially affected by this vulnerability.
Patches for libwebp
The fix is included in the following releases:
libwebp version 1.3.2: https://github.com/webmproject/libwebp/releases/tag/v1.3.2
List of other affected vulnerabilities: https://gist.github.com/mttaggart/02ed50c03c8283f4c343c3032dd2e7ec
What Sophos products are affected?
Sophos is reviewing and patching all affected applications and services as part of its incident response process.
Product or Service | Status | Description |
|---|---|---|
Sophos Cloud Optix | Not affected | Component not present |
SG UTM (all versions) | Not affected | Component not present |
Sophos Central | Not affected | Vulnerable code not in execute path |
Sophos Endpoint protection (Windows) | Not affected | Component not present |
Sophos Endpoint protection (macOS) | Not affected | Component not present |
Sophos Endpoint protection (Linux) | Not affected | Vulnerable code not in execute path |
Sophos Email | Not affected | Component not present |
Sophos Firewall (all versions) | Not affected | Component not present |
SophosConnect client | Not affected | Component not present |
Sophos Home (Windows) | Not affected | Component not present |
Sophos Home (macOS) | Not affected | Component not present |
Sophos Mobile | Not affected | Component not present |
Sophos Mobile EAS Proxy | Not affected | Component not present |
Sophos Mobile Control app (iOS + Android) | Not affected | Component not present |
Sophos Intercept X for Mobile app (iOS + Android) | Not affected | Component not present |
Sophos Secure Email app (iOS + Android) | Not affected | Component not present |
Sophos Secure Workspace app (iOS + Android) | Not affected | Component not present |
Sophos Chrome Security | Not affected | Component not present |
Sophos PhishThreat | Not affected | Component not present |
Sophos RED | Not affected | Component not present |
Sophos AP/APX | Not affected | Component not present |
Sophos Wireless | Not affected | Component not present |
Sophos ZTNA | Not affected | Component not present |
Sophos Switch | Not affected | Component not present |
Sophos Central Managed APX | Not affected | Component not present |
SophosLabs Intelix | Not affected | Component not present |
Sophos SASI (AntiSpam) | Not affected | Component not present |
SAV DI | Not affected | Component not present |
SUSI | Not affected | Component not present |
AV Engine (all platforms) | Not affected | Component not present |
Related Information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.