Broadcom API Gateway 10.1 - Libwebp vulnerability CVE-2023-2077

search cancel

Broadcom API Gateway 10.1 - Libwebp vulnerability CVE-2023-2077

book

Article ID: 274149

calendar_today

Updated On: 04-24-2025

Products

CA API Gateway

Issue/Introduction

There is a recent vulnerability affecting certain versions of Libwebp.

CVE-2023-2077 Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-2077

Affected versions are < 1.3.1

Gateway 10.1 Appliance uses libwebp version 0.3.0.

Is there a security concern/risk?

Environment

Gateway 10.1

Cause

Certain versions of Libwebp from Webmproject contain the following vulnerability:

"... there exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free ..."

Resolution

From the August 2023 Monthly Platform Update patch, the updated/fixed package has already shipped as part of it.

Reference: https://access.redhat.com/errata/RHSA-2023:2077

Feedback

thumb_up Yes

thumb_down No