What is the impact on Identity Manger / Suite(VAPP) around the CVE-2023-4863 and CVE-2023-5217 vulnerabilities?
Release : 14.4
Both of these CVE's are against Google Chrome.
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
The Identity Suite is not vulnerable to CVE-2023-4863 nor CVE-2023-5217
Engineering has confirmed that the problem libraries are not used anywhere in the Broadcom Identity Suite software and that we do not support or process images of webp format. This includes the linux distributions we provide with our VAPP deployments.
The recommendation is to update all browsers to the latest supported version avoid this vulnerability.